Closed nurfed1 closed 3 years ago
Hi,
Yeah, I already thought about adding this privilege after reading JF's blog post.
But I didn't really know what to do with this one as only SYSTEM
can have this privilege.
I think I will still add it to the list given the very little implementation cost. :)
From my testing it seems that any user can have the privilege, as long as the IntegrityLevel is High or above.
Any user? Really? :thinking:
IntegrityLevel
= High
generally means admin (after UAC). I don't see this privilege. Even then, it would be irrelevant in the context of PrvescCheck.
IntegrityLevel
= System
means it's a service account. Have you ever found a service that doesn't run as SYSTEM
and that has this privilege? :thinking:
From JF's blog post:
At any rate the only user that gets SeRelabelPrivilege by default is SYSTEM, which defaults to the System integrity level which is already the maximum allowed level so this behavior of the privilege seems pretty much moot. At any rate as it's a "God" privilege it will be disabled if the token has an integrity level less than High, so this lowering operation is going to be rarely useful.
That being said, it could be the result of a custom config. A service account or an administrator could be granted this privilege manually. That seems a very rare edge case but it's technically possible. :)
Yes, that's why I made this issue. Even if it isn't assigned by default, there's an edge case that it is assigned manually. :)
Yes! Thank you! :thumbsup: I updated the code. :)
Hi,
Even though it won't be useful very often, would it make sense to add SeRelabelPrivilege to the HighPotentialPrivileges?