Acknowledgments: Thanks to the various people that proofread my ramblings and offered valuable feedback. Thanks to @_RastaMouse (and ZeroPointSecurity) for creating courses that have inspired me to learn more about security every day. I want to start this blog by stating basically none of this research is “new”. A lot of the information surrounding process protection in Windows, and the various methods of exploitation have been explored in extreme depth (such as the work done by Benjamin Delpy and the mimikatz driver).

The Elephant in the Room By now, ChatGPT should be something you’ve heard about or are starting to hear about at your organization. I tend to approach new products surrounded by significant hype with a humble trepidation and reasonable apprehension. In recent months, ChatGPT and OpenAI have garnered a lot of news coverage and subsequent panic of an AI takeover that will result in all of us losing our jobs (😅).

Living off the Land Earlier this week, Grzegorz Tworek posted a really cool way of establishing a persistent LPE that I haven’t previously seen in the wild. From a (compromised) privileged account we can abuse the Service Control Manager to allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset. Some background knowledge Understanding what this attack is doing will require some light reading into both sdset as well as Microsoft’s Security Descriptor Definition Language (SDDL).