Detections
Analytics

Dangerous Sensitive Privileges

high

Language:

Description

Windows has two methods for granting account privileges to access resources: permissions and user rights. User rights, provided by Microsoft, simplify administration tasks like system shutdown, driver loading, or security log management. They are similar to permissions but are not user-specific and can apply globally to anyone with the right to perform the task.

Sensitive user rights can sometimes allow users to gain elevated privileges on a system. For instance, a user who can install a driver for a device, such as a keyboard, could potentially install a malicious driver and gain administrative rights on the system. This introduces a security risk as an attacker could exploit this misconfiguration to compromise the system locally.

Solution

Avoid assigning sensitive privileges to non-administrative users and groups to prevent security risks in Active Directory. Do not disable User Account Control (UAC) feature in Windows.

See Also

User Rights Assignment

EnableLUA

Abusing Token Privileges For Windows Local Privilege Escalation

Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM

Abusing Token Privileges For LPE (part 3.1)

PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019

s(4)u for Windows (in french)

Indicator Details

Name: Dangerous Sensitive Privileges

Codename: C-DANGEROUS-SENSITIVE-PRIVILEGES

Severity: High

MITRE ATT&CK Information:

Tactics: TA0004

Techniques: T1078

Attacker Known Tools

Benjamin Delpy: Mimikatz

Rotten Potato NG

Poptoke