Scribd Logo
Upload

Welcome to Scribd!

  • Windows Abused Privileges

    Uploaded by

    Red Grey
    8 views1 page
    This document lists Windows privileges and provides a brief description of each privilege. Some key privileges include: - SeBackupPrivilege which allows backing up files and directories. - SeCreateTokenPrivilege which allows creating token objects. - SeDebugPrivilege which allows debugging programs if enabled. - SeLoadDriverPrivilege which allows loading and unloading device drivers. - SeSecurityPrivilege which allows managing auditing and the security log. - SeShutdownPrivilege which allows shutting down the system. - SeSyncAgentPrivilege which allows synchronizing directory service data.

    Original Description:

    Original Title

    windows_abused_privileges

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document lists Windows privileges and provides a brief description of each privilege. Some key privileges include: - SeBackupPrivilege which allows backing up files and directories. - SeCreateTokenPrivilege which allows creating token objects. - SeDebugPrivilege which allows debugging programs if enabled. - SeLoadDriverPrivilege which allows loading and unloading device drivers. - SeSecurityPrivilege which allows managing auditing and the security log. - SeShutdownPrivilege which allows shutting down the system. - SeSyncAgentPrivilege which allows synchronizing directory service data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views1 page

    Windows Abused Privileges

    Uploaded by

    Red Grey
    This document lists Windows privileges and provides a brief description of each privilege. Some key privileges include: - SeBackupPrivilege which allows backing up files and directories. - SeCreateTokenPrivilege which allows creating token objects. - SeDebugPrivilege which allows debugging programs if enabled. - SeLoadDriverPrivilege which allows loading and unloading device drivers. - SeSecurityPrivilege which allows managing auditing and the security log. - SeShutdownPrivilege which allows shutting down the system. - SeSyncAgentPrivilege which allows synchronizing directory service data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 1

    SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeBackupPrivilege SeChangeNotifyPrivilege SeCreateGlobalPrivilege SeCreatePagefilePrivilege SeCreatePermanentPrivilege

    Replace a process-level token. Generate security audit. Backup file and directories. Bypass traverse checking. Create global objects. Create a pagefile. Create permanent shared objects.

    Checked by various components, such Required to generate events for the Grant the following access to any file Avoid checking permissions on Required for a process to create Checked by NtCreatePagingFile, which Checked by the object manager when
    as NtSetInformationJobObject, that Security event log with the or directory: READ_CONTROL, intermediate directories of a section and symbolic link objects in is the function used to create a new creating a permanent object.
    set a process’s token.. ReportEvent API. ACCESS_SYSTEM_SECURITY, multilevel directory lookup. the directories of the object manager paging file.
    FILE_GENERIC_READ, FILE_TRAVERSE. namespace.

    SeCreateSymbolicLinkPrivilege SeCreateTokenPrivilege SeManageVolumePrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege SeIncreaseBasePriorityPrivilege SeIncreaseQuotaPrivilege

    Create symbolic links. Create a token object. Perform volume maintenance tasks. Enable computer and user accounts to Impersonate a client after Increase scheduling priority. Adjust memory quotas for a process.
    be trusted for delegation. authentication.
    Checked by NTFS when creating Checked by NtCreateToken to create Enforced by file system drivers during Checked by the process manager and Enforced when changing a process’s
    symbolic links with the a token object. a volume open operation, which is Used by Active Directory services to Process manager checks for this is required to raise the priority of a working set thresholds, a process’s
    CreateSymbolicLink API. required to perform disk-checking. delegate authenticated credentials. when a thread wants to use a token process. paged and nonpaged pool quotas, and
    for impersonation. a process’s CPU rate quota.

    SeIncreaseWorkingSetPrivilege SeLoadDriverPrivilege SeLockMemoryPrivilege SeMachineAccountPrivilege


    Increase a process working set. Load and unload device drivers. Lock pages in memory. Add workstations to the domain.

    Required to call
    SetProcessWorkingSetSize to increase
    the minimum working set.
    Checked by NtLoadDriver and
    NtUnloadDriver driver functions. Windows Privileges Checked by NtLockVirtualMemory, the
    kernel implementation of VirtualLock.
    Checked by the SAM on a domain
    controller when creating a machine
    account in a domain.

    SeProfileSingleProcessPrivilege SeDebugPrivilege SeRelabelPrivilege SeRemoteShutdownPrivilege


    Profile single process. Debug programs. Modify an object label. Force shutdown from a remote system.
    Checked by Superfetch and the If the caller has this privilege Checked by the SRM when raising the Winlogon checks that remote callers
    prefetcher when requesting enabled, the process manager allows integrity level of an object owned by of the InitiateSystemShutdown
    information for an individual process access to any process or thread using another user. function have this privilege.
    through NtQuerySystemInformation. NtOpenProcess or NtOpenThread,
    regardless the security descriptor. Commonly abused privileges
    SeShutdownPrivilege SeSecurityPrivilege SeRestorePrivilege SeSyncAgentPrivilege SeSystemEnvironmentPrivilege SeSyncAgentPrivilege SeSystemtimePrivilege

    Shutdown the system. Manage auditing and security log. Restore files and directories. Synchronize directory service data. Modify firmware environment variables. Profile system performance. Change the system time.
    Grant access to any file or directory, Required by
    Checked by NtShutdownSystem and Required to access the SACL of a Required to use the LDAP directory Checked for by NtCreateProfile, the Required to change the time or date.
    regardless of the security descriptor NtSetSystemEnvironmentValue and function used to perform profiling of
    NtRaiseHardError, which presents a security descriptor and to read and synchronization services. It allows the
    that’s present: WRITE_DAC, WRITE_OWNER, NtQuerySystemEnvironmentValue to the system. This is used by the
    system error dialog box on the clear the security event log. ACCESS_SYSTEM_SECURITY, holder to read all objects and modify and read firmware
    interactive console.. FILE_GENERIC_WRITE, FILE_ADD_FILE, properties in the directory. Kernprof tool, for example.
    FILE_ADD_SUBDIRECTORY and DELETE. environment variables using the HAL.

    SeTrustedCredManAccessPrivilege SeTcbPrivilege SeTimeZonePrivilege SeTakeOwnershipPrivilege SeUndockPrivilege SeUnsolicitedInputPrivilege


    Access Credential Manager as a
    @FrØgger_
    Act as part of the operating system. Change the time zone. Take ownership of files and other Remove computer from a docking Receive unsolicited data from a
    trusted caller. objects. station. terminal device.
    Checked by the Credential Manager to Checked by the SRM when the
    session ID is set in a token, by the
    Required to change the time zone.
    Required to take ownership of an Checked by the user-mode Plug and This privilege is not currently used by
    Thomas Roccia
    verify that it should trust the caller
    Plug and Play manager for Plug and object without being granted Play manager when a computer Windows.
    with credential information that can
    Play event creation and management. discretionary access. undock is initiated.
    be queried in plaintext.

    You might also like