EoP - From local administrator to NT SYSTEM

Leveraging PsExec for Elevation of Privilege (EoP) to NT SYSTEM

Overview

The NT SYSTEM account is the highest privilege level on Windows, providing unrestricted access to all system resources. Attackers or penetration testers with local administrator privileges can escalate their access by using PsExec, a legitimate tool from Microsoft’s Sysinternals suite. This document explains the use of PsExec to achieve NT SYSTEM privileges and outlines mitigation strategies.

Purpose of PsExec in EoP

By executing commands as NT SYSTEM, users gain complete control over the operating system. This allows:

  • Bypassing security controls.

  • Accessing sensitive files and protected system areas.

  • Performing high-privilege actions critical to system integrity.

These capabilities are commonly exploited in penetration testing or by attackers to consolidate control over a compromised system.

Using PsExec to Elevate to NT SYSTEM

Prerequisites

  1. PsExec: Ensure that PsExec.exe is available on the system. It can be downloaded from Microsoft Sysinternals.

  2. Local Administrator Privileges: The user must already have administrator rights.

Step 1: Run PsExec with NT SYSTEM Privileges

Execute the following command to open a command prompt with NT SYSTEM privileges:

PsExec.exe -i -s cmd.exe

Explanation of Parameters:

  • -i (Interactive Mode): Allows the process to interact with the desktop.

  • -s (System Account): Runs the command under the NT SYSTEM account.

Step 2: Verify NT SYSTEM Access

Once the command is executed, a new command prompt will open. Verify the privilege level by typing:

whoami

Expected Output:

NT AUTHORITY\SYSTEM

Potential Actions and Risks as NT SYSTEM

Once elevated, the NT SYSTEM account allows the following:

  1. Access to Sensitive Files

    • Read and modify critical files such as:

      • SAM, SYSTEM, and SECURITY hives (Registry hives containing passwords and configurations).

      • Protected system files.

  2. Service Manipulation

    • Control system services:

      • Disable or modify essential services.

      • Launch new services to perform malicious activities.

  3. Persistence Mechanisms

    • Create persistent backdoors or scheduled tasks that survive reboots.

  4. Full Access to User Data

    • Read or exfiltrate data from any user account on the system.

Mitigation Strategies

To protect against unauthorized NT SYSTEM access, implement the following controls:

1. Restrict PsExec Access

  • Limit access to PsExec: Ensure PsExec and similar tools are accessible only to authorized users.

  • Use file integrity monitoring to detect unauthorized usage or modifications of PsExec.

2. Monitor NT SYSTEM Processes

  • Regularly audit processes running as NT SYSTEM.

  • Use SIEM (Security Information and Event Management) tools to alert on suspicious NT SYSTEM activity.

3. Limit Local Administrator Privileges

  • Follow the principle of least privilege:

    • Only grant local admin privileges when absolutely necessary.

    • Regularly review and revoke unnecessary administrator accounts.

4. Endpoint Detection and Response (EDR)

  • Deploy EDR solutions to detect and respond to privilege escalation attempts.

  • Implement behavioral analysis to identify anomalous use of tools like PsExec.

Conclusion

The misuse of PsExec to escalate privileges to NT SYSTEM represents a significant risk to system security. By understanding this technique and applying strict mitigation measures, organizations can reduce their exposure to such attacks and ensure tighter control over their critical systems.

PreviousEoP - Abusing Shadow CopiesNextEoP - Living Off The Land Binaries and Scripts

Last updated