Scrambled_User_Privileges_miscsvc

miscsvc

---

Checking for user privileges of the miscsvc account while conducting the basic enumeration

*evil-winrm* ps c:\Users\miscsvc\Documents> whoami /all
 
USER INFORMATION
----------------
 
User Name    SID
============ ==============================================
scrm\miscsvc S-1-5-21-2743207045-1827831105-2542523200-1617
 
 
GROUP INFORMATION
-----------------
 
Group Name                                  Type             SID                                            Attributes
=========================================== ================ ============================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
SCRM\ITShare                                Group            S-1-5-21-2743207045-1827831105-2542523200-1609 Mandatory group, Enabled by default, Enabled group
SCRM\ITUsers                                Group            S-1-5-21-2743207045-1827831105-2542523200-1610 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
 
 
PRIVILEGES INFORMATION
----------------------
 
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
 
 
USER CLAIMS INFORMATION
-----------------------
 
User claims unknown.
 
Kerberos support for Dynamic Access Control on this device has been disabled.

The miscsvc account has group memberships to ITShare and ITUsers groups Additionally, the miscsvc account also has the SeMachineAccountPrivilege. noPac exploit may be used for privilege escalation