Windows User Rights
Dangerous Windows User Privileges
https://redteamrecipe.com/windows-privileges-for-fun-and-profit
| Privilege Name | Description | Potential Attack Techniques or Misuse Scenarios | Documentation |
|---|---|---|---|
| SeAssignPrimaryTokenPrivilege Replace a process-level token |
Allows a process to replace the primary token of another process. | - Privilege Escalation: Can be abused to run processes under different user contexts. - Attackers can impersonate tokens and escalate privileges to higher levels. - Tools like Potato.exe, JuicyPotato, and PrintSpoofer exploit this privilege. |
Replace a process level token |
| SeAuditPrivilege Generate security audits |
Allows a process to generate entries in the security log. | - Log Manipulation: Potential to flood event logs with bogus entries. - May hide malicious activities by generating noise in audit logs. - Could interfere with security monitoring and incident response efforts. |
Generate security audits |
| SeBackupPrivilege Back up files and directories |
Allows a process to bypass normal file permissions when backing up files and directories. | - Risk of Data Exposure: Can read any file on the system, including sensitive data not normally accessible. - Attackers can copy protected system files for offline analysis. - Tools like Mimikatz and Impacket's secretsdump.py can exploit this privilege to extract credentials. |
Back up files and directories |
| SeChangeNotifyPrivilege Bypass traverse checking |
Allows traversal of directories even if the user doesn't have permissions on the traversed directories. | - Traversal Abuse: Could be combined with other vulnerabilities to access restricted directories and files. - Generally required for normal operation and assigned to all users. - Revoking this privilege can cause system instability. |
Bypass traverse checking |
| SeCreateGlobalPrivilege Create global objects |
Allows a process to create global objects in the namespace. | - Unauthorized Access: May interfere with other users' sessions or processes. - Potential for data leakage or manipulation across sessions. - Could be misused to create global named objects accessible by all users. |
Create global objects |
| SeCreatePagefilePrivilege Create a pagefile |
Allows a process to create and modify the system's paging file. | - Sensitive Data Exposure: Can be exploited to create or modify the hibernation file (hiberfil.sys).- Attackers can analyze this file offline to extract sensitive information using tools like Volatility. - May lead to credential theft or exposure of encryption keys. |
Create a pagefile |
| SeCreatePermanentPrivilege Create permanent shared objects |
Allows a process to create permanent objects in the system's namespace. | - System Interference: May create objects that persist across reboots. - Can be used to maintain persistence on a system. - Potential to interfere with system operations or consume resources. |
Create permanent shared objects |
| SeCreateSymbolicLinkPrivilege Create symbolic links |
Allows a user to create symbolic links. | - Privilege Escalation: Attackers can create symbolic links to redirect file operations to unintended locations. - May bypass security restrictions or cause privileged processes to operate on attacker-controlled files. - Can lead to unauthorized access or modification of files. |
Create symbolic links |
| SeCreateTokenPrivilege Create a token object |
Allows a process to create an access token. | - Full System Compromise: Users can create tokens with arbitrary privileges and identities. - High risk of unauthorized privilege granting and impersonation. - May lead to complete control over the system if misused. |
Create a token object |
| SeDebugPrivilege Debug programs |
Allows a process to debug and adjust the memory of any process on the system, including system processes. | - High Risk: Can be used to access or manipulate sensitive system processes. - Potential for extracting sensitive information or injecting malicious code. - Tools like Mimikatz exploit this privilege to extract credentials from memory. |
Debug programs |
| SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session |
Allows a process to impersonate another user within the same session. | - Unauthorized Access: Can lead to privilege escalation by impersonating other users. - May access resources and data without proper authorization. - Potential to bypass security measures restricting user actions. |
Obtain an impersonation token for another user in the same session |
| SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation |
Allows a user to mark accounts as trusted for delegation. | - Unauthorized Resource Access: Can be exploited to access sensitive network resources and services. - May allow attackers to impersonate users over the network. - Potential to escalate privileges within a domain environment. |
Enable computer and user accounts to be trusted for delegation |
| SeImpersonatePrivilege Impersonate a client after authentication |
Allows a process to impersonate any user without authentication. | - Privilege Escalation: Can be exploited to assume the identity of higher-privileged accounts. - May lead to unauthorized access to resources and sensitive data. - Attackers might use this to execute code under a different user's context (e.g., JuicyPotato, PrintSpoofer). |
Impersonate a client after authentication |
| SeIncreaseBasePriorityPrivilege Increase scheduling priority |
Allows a process to increase the base priority of a process. | - Denial of Service: Can elevate the priority of malicious processes, consuming excessive CPU resources. - May starve critical system processes of CPU time, leading to system instability. - Misuse can degrade system performance or cause hangs. |
Increase scheduling priority |
| SeIncreaseQuotaPrivilege Adjust memory quotas for a process |
Allows a process to change the memory quota of a process. | - System Instability: Setting extreme memory quotas may lead to system crashes or prevent the OS from booting. - Attackers could disrupt services by manipulating resource limits. - May affect the availability of applications or the entire system. |
Adjust memory quotas for a process |
| SeIncreaseWorkingSetPrivilege Increase a process working set |
Allows a process to increase the working set of a process (the physical memory assigned). | - Resource Exhaustion: Can be misused to allocate excessive memory to processes. - May lead to system slowdown or denial of service due to memory exhaustion. - Potential to affect system stability and performance. |
Increase a process working set |
| SeLoadDriverPrivilege Load and unload device drivers |
Allows a user to load or unload device drivers. | - Kernel-Level Compromise: Loading malicious or unverified drivers can execute code with kernel-level privileges. - May lead to complete system control by an attacker. - Misuse can compromise system stability and security mechanisms. |
Load and unload device drivers |
| SeLockMemoryPrivilege Lock pages in memory |
Allows a process to keep data in physical memory, preventing it from being paged to disk. | - Concealment: Can prevent sensitive data from being paged out, hiding it from disk-based scans. - May be used to avoid detection by security software. - Overuse can lead to memory exhaustion, affecting system performance. |
Lock pages in memory |
| SeMachineAccountPrivilege Add workstations to domain |
Allows a user to add computer accounts to the domain. | - Domain Compromise: Attackers can add rogue machines to the domain, facilitating further attacks like credential harvesting or man-in-the-middle attacks. - Increases the attack surface within the network. - May lead to unauthorized access to domain resources. |
Add workstations to domain |
| SeManageVolumePrivilege Perform volume maintenance tasks |
Allows performing advanced volume management tasks, such as defragmentation and format operations. | - Data Access and Manipulation: Can be exploited to access raw disk data. - Potential to inject malicious code or alter volume configurations. - Misuse may lead to data corruption or loss, affecting system integrity. |
Perform volume maintenance tasks |
| SeProfileSingleProcessPrivilege Profile single process |
Allows a user to profile the performance of a single process. | - Information Disclosure: Attackers can gather performance data or analyze processes for vulnerabilities. - May expose sensitive information about a process's behavior or resource usage. - Could aid in exploit development or system reconnaissance. |
Profile single process |
| SeRelabelPrivilege Modify an object label |
Allows changing the mandatory integrity level of objects, such as files or registry keys. | - Security Bypass: May lead to bypassing security restrictions by altering integrity levels. - Potential to escalate privileges by modifying protected objects. - Can interfere with system processes and security policies. |
Modify an object label |
| SeRemoteShutdownPrivilege Force shutdown from a remote system |
Allows a user to shut down a system from a remote location. | - Denial of Service: May cause disruption by shutting down critical systems remotely. - Unauthorized users could interrupt services and operations. - Potential to impact availability of network resources. |
Force shutdown from a remote system |
| SeRestorePrivilege Restore files and directories |
Allows a process to bypass normal file permissions when restoring files and directories. | - System Integrity Risk: Permits writing to any file, potentially overwriting system files. - Misuse can lead to system compromise or instability by modifying critical files. - Potential to introduce malicious code or alter system configurations. |
Restore files and directories |
| SeSecurityPrivilege Manage auditing and security log |
Allows a user to manage and manipulate auditing and security logs. | - Evidence Tampering: Can clear security logs and configure auditing policies. - May hide unauthorized activities and tamper with security records. - Hinders forensic investigations and compliance efforts. |
Manage auditing and security log |
| SeShutdownPrivilege Shut down the system |
Allows a user to shut down the local system. | - Denial of Service: Misuse can lead to unexpected shutdowns of critical systems. - Attackers may disrupt operations by initiating unauthorized shutdowns or reboots. - Affects availability and can cause data loss if unsaved work is present. |
Shut down the system |
| SeSyncAgentPrivilege Synchronize directory service data |
Allows a process to synchronize directory service data. | - Data Harvesting: Attackers could replicate directory data, accessing sensitive information from Active Directory. - May facilitate further attacks against the domain. - Potential to gather user credentials, group memberships, and other directory information. |
Synchronize directory service data |
| SeSystemEnvironmentPrivilege Modify firmware environment values |
Allows modification of system environment variables stored in firmware (e.g., BIOS/UEFI settings). | - System Startup Risk: Potentially leads to hardware-level or system startup compromise. - Misuse can prevent the system from booting or disable security features. - May introduce persistent threats that survive reinstalls. |
Modify firmware environment values |
| SeSystemProfilePrivilege Profile system performance |
Allows a process to collect profiling information for the entire system. | - Information Disclosure: May expose sensitive data and system behavior. - Could be used to analyze system processes for vulnerabilities. - Potential to aid in planning further attacks or performance degradation. |
Profile system performance |
| SeSystemtimePrivilege Change the system time |
Allows changing the system date and time of the system. | - Security Mechanism Disruption: Malicious users can alter system time to disrupt scheduled tasks, invalidate security certificates, or manipulate time-stamped logs. - Hinders auditing and forensic efforts. - May affect time-based security mechanisms like Kerberos authentication. |
Change the system time |
| SeTakeOwnershipPrivilege Take ownership of files or other objects |
Allows a user to take ownership of any securable object in the system, including files and registry keys. | - Unauthorized Access: Users can take ownership and alter permissions of sensitive objects. - May gain access to confidential data and critical system resources. - Potential to bypass security controls and escalate privileges. |
Take ownership of files or other objects |
| SeTcbPrivilege Act as part of the operating system |
Allows a process to act as part of the operating system. | - High Risk: Grants extensive rights, potentially leading to complete system compromise. - Processes can assume the identity of any user and gain access to resources. - Misuse can result in unauthorized access to sensitive data and system functions. |
Act as part of the operating system |
| SeTimeZonePrivilege Change the time zone |
Allows a user to change the system's time zone. | - Low Risk: Generally minimal impact. - Changing the time zone can affect time-based applications or logs. - Misuse could potentially confuse logging systems or scheduled tasks. |
Change the time zone |
| SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller |
Allows a process to access Credential Manager as a trusted caller, retrieving credentials for other users. | - Credential Theft: Risk of accessing stored credentials, including passwords and network authentication tokens. - Unauthorized access to sensitive information. - May lead to lateral movement within a network environment. |
Access Credential Manager as a trusted caller |
| SeUndockPrivilege Remove computer from docking station |
Allows a user to undock a laptop. | - Physical Security Risk: Unauthorized undocking could lead to theft of hardware or data. - Generally low risk, but may impact physical security measures. - Important in environments where physical access needs to be controlled tightly. |
Remove computer from docking station |
| SeUnsolicitedInputPrivilege Not assigned in Windows |
Note: This privilege is not assigned or used in Windows. | - No Impact: Since it's not assigned, there are no associated risks or misuse scenarios in Windows environments. - Present for historical or compatibility reasons. - Can be disregarded in the context of Windows privilege management. |
Privilege Constants |
References:
- Microsoft Documentation:
- Security Compliance Toolkit: