Overview
High integrity (local admin) is not SYSTEM. Some post-exploitation tasks require SYSTEM — dumping LSASS, accessing certain registry hives, or interacting with services. Multiple paths to escalate.Create New Service
PsExec
Sysinternals PsExec with-s flag runs as SYSTEM.
Scheduled Task
Named Pipes — Meterpreter getsystem
Meterpreter automates named pipe impersonation:- Named pipe impersonation (default)
- Token duplication
- Named pipe impersonation (RPCSS variant)
Token Manipulation
Incognito (Meterpreter)
PowerShell — Invoke-TokenManipulation
DLL Hijacking on SYSTEM Service
If a SYSTEM service loads DLL from writable path:- Find writable DLL path (see Service Exploits)
- Drop malicious DLL
- Restart service → executes as SYSTEM
AlwaysInstallElevated → SYSTEM
If enabled, MSI installs as SYSTEM:SeImpersonate → SYSTEM
If high integrity process has SeImpersonatePrivilege:SeDebug + SeImpersonate
With both privileges, migrate into SYSTEM process:Parent PID Spoofing
Create process with SYSTEM process as parent:Quick Reference
| Method | Requires | Complexity |
|---|---|---|
| PsExec -s | Admin + PsExec on disk | Low |
| New service | Admin | Low |
| Scheduled task | Admin | Low |
| Meterpreter getsystem | Meterpreter session | Low |
| Token manipulation | Admin + tool | Medium |
| Parent PID spoofing | Admin + SeDebug | Medium |
| Potato attacks | SeImpersonate | Medium |