Dangerous sensitive privileges

high

Description

On Windows, the usual way of delegating privileges to an account on a resource is done through permissions. But there is another functionality that can be used to do the same: user rights. Microsoft provides a lot of ways to make administration easier by using those (being able to shut down a system, loading a driver, managing the security logs, etc.), which are basically equivalent of going through permissions without regard if it applies to the user or not. Though, some of those rights are sensitive and can provide a way for a user to elevate privileges on the system on some specific circumstances. For example, if a normal user is able to install a driver for one of his devices (ex. keyboard), then he could also potentially install a malicious driver to get administrative rights on the system.

As such, the most sensitive privilege rights can introduce a security risk to the underlying system. An attacker could use this misconfiguration to compromise a system locally.

Solution

Non-administrative users and groups having sensitive privileges set can introduce a security risk on the Active Directory and should be avoided. Also, the Windows feature called User Account Control should not be disabled.

See Also

Abusing Token Privileges For Windows Local Privilege Escalation

Rotten Potato – Privilege Escalation from Service Accounts to SYSTEM

Abusing Token Privileges For LPE (part 3.1)

PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019

s(4)u for Windows (in french)

User Rights Assignment

EnableLUA

Indicator Details

Name: Dangerous sensitive privileges

Codename: C-DANGEROUS-SENSITIVE-PRIVILEGES

Severity: High

Attacker Known Tools

Rotten Potato NG

Poptoke

Benjamin Delpy: Mimikatz