Beyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHound

Windows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpersonatePrivilege or SeBackupPrivilege are frequently used by attackers to escalate their privileges, it is also possible for defenders to leverage logon rights privileges to limit lateral movement. With our pull requests in BloodHound, SharpHound and SharpHoundCommon, it is now possible to enumerate which privileges and logon rights are assigned to users and machines across the network and thus identify local privilege escalations paths.