Dangerous Sensitive Privileges



Windows has two methods for granting account privileges to access resources: permissions and user rights. User rights, provided by Microsoft, simplify administration tasks like system shutdown, driver loading, or security log management. They are similar to permissions but are not user-specific and can apply globally to anyone with the right to perform the task.

Sensitive user rights can sometimes allow users to gain elevated privileges on a system. For instance, a user who can install a driver for a device, such as a keyboard, could potentially install a malicious driver and gain administrative rights on the system. This introduces a security risk as an attacker could exploit this misconfiguration to compromise the system locally.


Avoid assigning sensitive privileges to non-administrative users and groups to prevent security risks in Active Directory. Do not disable User Account Control (UAC) feature in Windows.

See Also

User Rights Assignment


Abusing Token Privileges For Windows Local Privilege Escalation

Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM

Abusing Token Privileges For LPE (part 3.1)

PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019

s(4)u for Windows (in french)

Indicator Details

Name: Dangerous Sensitive Privileges


Severity: High

MITRE ATT&CK Information:

Tactics: TA0004

Techniques: T1078

Attacker Known Tools


Rotten Potato NG