Add SeRelabelPrivilege to HighPotentialPrivileges about privesccheck HOT 6 CLOSED

Hi,

Yeah, I already thought about adding this privilege after reading JF's blog post.
But I didn't really know what to do with this one as only SYSTEM can have this privilege.
I think I will still add it to the list given the very little implementation cost. :)

from privesccheck.

From my testing it seems that any user can have the privilege, as long as the IntegrityLevel is High or above.

from privesccheck.

Any user? Really? 🤔

IntegrityLevel = High generally means admin (after UAC). I don't see this privilege. Even then, it would be irrelevant in the context of PrvescCheck.
IntegrityLevel = System means it's a service account. Have you ever found a service that doesn't run as SYSTEM and that has this privilege? 🤔

From JF's blog post:

At any rate the only user that gets SeRelabelPrivilege by default is SYSTEM, which defaults to the System integrity level which is already the maximum allowed level so this behavior of the privilege seems pretty much moot. At any rate as it's a "God" privilege it will be disabled if the token has an integrity level less than High, so this lowering operation is going to be rarely useful.

from privesccheck.

That being said, it could be the result of a custom config. A service account or an administrator could be granted this privilege manually.
That seems a very rare edge case but it's technically possible. :)

from privesccheck.

Yes, that's why I made this issue.
Even if it isn't assigned by default, there's an edge case that it is assigned manually. :)

from privesccheck.

Yes! Thank you! 👍
I updated the code. :)

from privesccheck.