| description |
|---|
Privilege escalation using the load and unload device drivers policy (SeLoadDriverPrivilege). |
Run the following command to see if the privilege is enabled:
whoami /privRegardless of if SeLoadDriverPrivilege is enabled or not, we can run the following tool automagically enable the SeLoadDrivierPrivilege, create a registry key under HKEY_CURRENT_USER and execute NTLoadDriver.
Once we have successfully loaded our Capcom.sys driver onto the machine we can abuse the malicious driver to escalate our privleges. The following are exploits I've used in my test environment and have verified working:
This privilege is extremely dangerous to assign to any user and I have seen multiple organizations assign it to every user.
{% embed url="https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges" %}
{% embed url="https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation" %}