SeLoadDriverPrivilege

Privilege escalation using the load and unload device drivers policy (SeLoadDriverPrivilege).

Exploitation

Run the following command to see if the privilege is enabled:

whoami /priv

Regardless of if SeLoadDriverPrivilege is enabled or not, we can run the following tool automagically enable the SeLoadDrivierPrivilege, create a registry key under HKEY_CURRENT_USER and execute NTLoadDriver.

EoPLoadDriver

Once we have successfully loaded our Capcom.sys driver onto the machine we can abuse the malicious driver to escalate our privleges. The following are exploits I've used in my test environment and have verified working:

ExploitCapcom
PuppetStrings

This privilege is extremely dangerous to assign to any user and I have seen multiple organizations assign it to every user.

References

Privileged Accounts and Token PrivilegesRed Teaming Experiments

Abusing SeLoadDriverPrivilege for privilege escalationTarlogic Security

PreviousSeImpersonatePrivilege NextService Exploitation

Last updated 1 year ago