Beyond ACLs Mapping Windows Privilege Escalation Paths with ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html
• Blog Title: Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound
• Suggested Section: Windows Hardening -> Windows Local Privilege Escalation (token privileges like SeBackupPrivilege/SeDebugPrivilege/SeImpersonate) and/or Active Directory Methodology -> BloodHound & Other AD Enum Tools (collecting/logon-rights & privileges via GPO/SYSVOL and LSA RPC enumeration)

🎯 Content Summary

This post explains (1) how Windows authorization normally works via access tokens and ACLs, (2) why some token privileges can bypass DACL checks and become practical local privilege-escalation primitives, and (3) how BloodHound/SharpHound contributions let you enumerate privileges and logon rights domain-wide to find privilege-based escalation paths.

1. Access tokens 101 (normal authorization path)
   Windows uses access tokens to represent the security context of a process or thread. Key attribut...

🔧 Technical Details

Privilege-based privesc on Windows: treat token privileges as escalation primitives because they can bypass normal DACL authorization. SeBackupPrivilege can enable reading protected files/registry hives regardless of DACLs, allowing SAM/SYSTEM extraction and offline hash recovery (e.g., secretsdump tooling) to gain administrator access.

SeDebugPrivilege can bypass checks when opening process/thread handles, enabling actions like reading privileged process memory, injecting code, or dumping LSASS for credential extraction.

SeImpersonatePrivilege allows a thread to adopt another security context; SeAssignPrimaryTokenPrivilege enables creating new processes with primary tokens. Where direct token theft is blocked by assignment checks, these privileges can enable bypass. If SeDebugPrivilege is unavailable, Potato-family coercion techniques may be used to obtain an impersonation opportunity.

Enumeration approach: map privilege/logon-right assignments domain-wide by parsing GptTmpl.inf fr...

🤖 Agent Actions

Updated windows-hardening/active-directory-methodology/bloodhound.md with a new section on domain-wide privilege and logon-right collection in BloodHound, including UAC/filtered-token caveats, GPO/SYSVOL parsing steps, LSA RPC enumeration, and an example SeBackupPrivilege abuse path. Added the blog as a reference.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/beyond-acls-mapping-windows-privilege-escalation-paths-with-bloodhound.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Windows Local Privilege Escalation (token privileges like SeBackupPrivilege/SeDebugPrivilege/SeImpersonate) and/or Active Directory Methodology -> BloodHound & Other AD Enum Tools (collecting/logon-rights & privileges via GPO/SYSVOL and LSA RPC enumeration)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0