Skip navigation

http://technet.microsoft.com/en-us/library/cc784501(WS.10).aspx

This TechNet article describes how to audit these extra privileges. Apparently they aren’t normally caught.

•Bypass traverse checking
•Debug programs
•Create a token object
•Replace process level token
•Generate security audits
•Back up files and directories
•Restore files and directories

The first 4 would indicate a privilege escalation that would be used to hi-jack any in-memory (LSA process) user tokens for impersonation. Metasploit has canned attacks for these kinds of scenarios.

If you are running as a “regular” user it seems that this would be avoided.

More to follow…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: