search
Personal BlogTwitterGitHubContact

SeLoadDriverPrivilege

Privilege escalation using the load and unload device drivers policy (SeLoadDriverPrivilege).

hashtag
Exploitation

Run the following command to see if the privilege is enabled:

whoami /priv

Regardless of if SeLoadDriverPrivilege is enabled or not, we can run the following tool automagically enable the SeLoadDrivierPrivilege, create a registry key under HKEY_CURRENT_USER and execute NTLoadDriver.

Once we have successfully loaded our Capcom.sys driver onto the machine we can abuse the malicious driver to escalate our privleges. The following are exploits I've used in my test environment and have verified working:

This privilege is extremely dangerous to assign to any user and I have seen multiple organizations assign it to every user.

hashtag
References

LogoPrivileged Accounts and Token Privileges | Red Team Noteswww.ired.teamchevron-right
LogoAbusing SeLoadDriverPrivilege for privilege escalationTarlogic Securitychevron-right
PreviousSeImpersonatePrivilegeNextService Exploitation

Last updated