The simple skill to escalate the process to SYSTEM privilege is using SeDebugPrivilege :
- Write the program which enable the SeDebugPrivilege value of the process.
- After enable the SeDebugPrivilege the process can open any other process token such as winlogon.exe which is launched by system account.
- When get the winlogon.exe access token then impersonate the token and use it to lauch the other process , and the process will have system privilege.
The above skill needs the program to be launched by the account that already has SeDebugPrivilege but just not enable.
However, the PSExec could launch the process by the account which doesn't have SeDebugPrivilege. Why ? Does it use the SeDebugPrivilege skill ?
If i remove the SeDebugPrivilege from the admin account. The skill will fail , because it need to enable the SeDebugPrivilege but current admin account doesn't have it.
Does PSExec create the local system service and use this service to lauch the process ? On the other hand , is there any skill can lauch the process with system account without SeDebugPrivilege ?
SeDebugPrivilegenot need. what is need - be able open process and it token. have theSeDebugPrivilegehelp do this, but in most case have admin group in token is enouth.