SeDebugPrivilege

  • To run particular applications or services or even assist with troubleshooting as users may be assigned with the SeDebugPrivilege, instead of adding the account to the administrator's group

  • this privilege can both be assigned locally and a domain group policy

  • By default, only administrators are granted with this privilege as it can be used to capture sensitive information from system memory, or access/modify kernel and application structures

  • any account that has the SeDebugPrivilege enabled does have access to critical operating system components.

  • We can utilize ProcDump from the Sysinternals suite to leverage this privilege and dump the process memory. A good candidate is the Local Security Authority Subsystem Service (LSASS) process, which stores users credentials after a user logs into the system

example

.\procdump.exe -accepteula -ma lsass.exe lsass.dmp
  • We can see this was successful, and we can load this into mimikatz using the sekurlsa::minidump command

  • After issuing the sekurlsa::logonPasswords command we gain the NTLM hash of the local administrator account logged on locally

  • It always a good idea to type log befire running any commands in "Mimikatz" this way all the command outputs to a ".txt" file

.\mimikatz.exe
log
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

We can also create a dump file manually if we have RDP access to the machine

  • we can take a manual memory dump of the LSASS process via the task manager, by browsing the Details tab, choosing the LSASS process, and selecting create dump file, then we can download this dump file back to our attack machine

Last updated