Closed nurfed1 closed 3 years ago
itm4n
commented
3 years ago Hi,
Yeah, I already thought about adding this privilege after reading JF's blog post.
But I didn't really know what to do with this one as only SYSTEM can have this privilege.
I think I will still add it to the list given the very little implementation cost. :)
nurfed1
commented
3 years ago From my testing it seems that any user can have the privilege, as long as the IntegrityLevel is High or above.
itm4n
commented
3 years ago Any user? Really? :thinking:
IntegrityLevel = High generally means admin (after UAC). I don't see this privilege. Even then, it would be irrelevant in the context of PrvescCheck.
IntegrityLevel = System means it's a service account. Have you ever found a service that doesn't run as SYSTEM and that has this privilege? :thinking:
From JF's blog post:
At any rate the only user that gets SeRelabelPrivilege by default is SYSTEM, which defaults to the System integrity level which is already the maximum allowed level so this behavior of the privilege seems pretty much moot. At any rate as it's a "God" privilege it will be disabled if the token has an integrity level less than High, so this lowering operation is going to be rarely useful.
itm4n
commented
3 years ago That being said, it could be the result of a custom config. A service account or an administrator could be granted this privilege manually. That seems a very rare edge case but it's technically possible. :)
nurfed1
commented
3 years ago Yes, that's why I made this issue. Even if it isn't assigned by default, there's an edge case that it is assigned manually. :)
itm4n
commented
3 years ago Yes! Thank you! :thumbsup: I updated the code. :)
Hi,
Even though it won't be useful very often, would it make sense to add SeRelabelPrivilege to the HighPotentialPrivileges?