Privilege Escalation
The adversary is trying to gain higher-level permissions. https://attack.mitre.org/tactics/TA0004/
Process Elevation (via SeDebugPrivilege)
If you run whoami /priv
and you see SeDebugPrivilege
set to Enabled
, you can assume you already have SYSTEM. One way of doing it, is using decoder's psgetsys.ps1
script once you have a good idea on a PID to inject:
. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864, 'C:\temp\payload.exe');
You can also gain a MSF session and use the module windows/manage/payload_inject
with a PID of your choice.
Attacking spoolss ("The Printer Bug")
From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:
GenericWrite to Host + User SPN = PWN
If we have GenericWrite
privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity
property against the AD object user PowerSploit and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path
Last updated