« All posts

Windows Privilege Abuse: The Shortcut to SYSTEM Access

Exploring how Windows privileges like SeImpersonatePrivilege are weaponized into SYSTEM access via Potato attacks, and why architectural defenses matter.

This piece examines how attackers escalate from low-privileged Windows accounts to NT AUTHORITY\SYSTEM. Drawing on years of research by Andrea Pierini, it traces a lineage of techniques from classic token manipulation to the Potato family of exploits, showing how privileges like SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege get weaponized.

Windows privileges operate alongside, and sometimes override, the ACL-based permission model. Because Microsoft treats abuse of a legitimately held privilege as a safety issue rather than a security boundary violation, these techniques go unpatched and remain effective across countless Windows versions. Service accounts, managed service accounts, and third-party application users such as IIS are commonly over-provisioned with dangerous rights.

For engineers, the key takeaway is that local privilege escalation is often the opening move in a full domain compromise, and the stakes rise sharply in shared systems like RDP servers or jump hosts. Seeing more enabled privileges than expected in a whoami /priv output is a signal that defenses need to be architectural, not patch-based.

» SourceHashnode #20