Windows Privilege Escalation: SeTcbPrivilege

Windows Privilege Escalation: SeTcbPrivilege
SeTcbPrivilege, or “Act as part of the operating system,” can let a low-privileged domain user impersonate SYSTEM and escalate to local administrator if it is misassigned through Group Policy. This article demonstrates how the tcb-lpe tool (tcb.exe) was used in the ignite.local domain to exploit that misconfiguration and highlights key mitigations such as privilege auditing, WDAC, and restricting WinRM access. #SeTcbPrivilege #tcb-lpe #tcb.exe #ignite.local #Evil-WinRM #DC.IGNITE.LOCAL

Keypoints

  • SeTcbPrivilege allows a process to act as a trusted Windows component and impersonate SYSTEM.
  • Granting this privilege to a normal domain user creates a direct path to local administrator access.
  • The lab used the ignite.local domain, a Windows Server 2019 domain controller, and Evil-WinRM for remote access.
  • The tcb-lpe exploit, tcb.exe, was used to run a SYSTEM command that added the compromised user to Administrators.
  • Mitigations include restricting SeTcbPrivilege, auditing GPOs, enabling sensitive privilege logging, and limiting WinRM access.

Read More: https://www.hackingarticles.in/windows-privilege-escalation-setcbprivilege/