user3365407
Reputation: 111
Why PSExec could launch process as SYSTEM without SeDebugPrivilege?
The simple skill to escalate the process to SYSTEM privilege is using SeDebugPrivilege :
- Write the program which enable the SeDebugPrivilege value of the process.
- After enable the SeDebugPrivilege the process can open any other process token such as winlogon.exe which is launched by system account.
- When get the winlogon.exe access token then impersonate the token and use it to lauch the other process , and the process will have system privilege.
The above skill needs the program to be launched by the account that already has SeDebugPrivilege but just not enable.
However, the PSExec could launch the process by the account which doesn't have SeDebugPrivilege. Why ? Does it use the SeDebugPrivilege skill ?
If i remove the SeDebugPrivilege from the admin account. The skill will fail , because it need to enable the SeDebugPrivilege but current admin account doesn't have it.
Does PSExec create the local system service and use this service to lauch the process ? On the other hand , is there any skill can lauch the process with system account without SeDebugPrivilege ?
Upvotes: 0
Views: 85
Answers (0)
Related Questions
- Running Process in system context
- Windows launch process with/without console
- PsExec could not start app: The system cannot find the file specified
- Batch files, Powershell Scripts, PSExec and System user
- Launching process from service under system account
- Psexec and UAC issue
- Why does Windows XCOPY fail when invoked via Perl system call via psexec?
- DuplicateHandle: need to OpenProcess, but the access is denied