SeTcbPrivilege, or “Act as part of the operating system,” can let a low-privileged domain user impersonate SYSTEM and escalate to local administrator if it is misassigned through Group Policy. This article demonstrates how the tcb-lpe tool (tcb.exe) was used in the ignite.local domain to exploit that misconfiguration and highlights key mitigations such as privilege auditing, WDAC, and restricting WinRM access. #SeTcbPrivilege #tcb-lpe #tcb.exe #ignite.local #Evil-WinRM #DC.IGNITE.LOCAL
Keypoints
- SeTcbPrivilege allows a process to act as a trusted Windows component and impersonate SYSTEM.
- Granting this privilege to a normal domain user creates a direct path to local administrator access.
- The lab used the ignite.local domain, a Windows Server 2019 domain controller, and Evil-WinRM for remote access.
- The tcb-lpe exploit, tcb.exe, was used to run a SYSTEM command that added the compromised user to Administrators.
- Mitigations include restricting SeTcbPrivilege, auditing GPOs, enabling sensitive privilege logging, and limiting WinRM access.
Read More: https://www.hackingarticles.in/windows-privilege-escalation-setcbprivilege/