Which Windows Service User Account Is Right For Gremlin?

Which Account

Gremlin requires a LocalSystem account because of the unrestricted access that our agent needs to run attacks on customer systems. If the Gremlin Agent is installed using anything other than LocalSystem account, we cannot guarantee that the agent will work properly. 

Different Types of Accounts 

Windows based systems are given the option to use three types of accounts for security: LocalSystem, NetworkService and LocalService. All three of these account types performs work as a user account. Visit this link to gain a better understanding of how Microsoft allows you to modify the credentials for these accounts. Below you can see the differences in permissions each account is given.

LocalSystem

• 
  SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


• 
  SE_AUDIT_NAME (enabled)


• 
  SE_BACKUP_NAME (disabled)


• 
  SE_CHANGE_NOTIFY_NAME (enabled)


• 
  SE_CREATE_GLOBAL_NAME (enabled)


• 
  SE_CREATE_PAGEFILE_NAME (enabled)


• 
  SE_CREATE_PERMANENT_NAME (enabled)


• 
  SE_CREATE_TOKEN_NAME (disabled)


• 
  SE_DEBUG_NAME (enabled)


• 
  SE_IMPERSONATE_NAME (enabled)


• 
  SE_INC_BASE_PRIORITY_NAME (enabled)


• 
  SE_INCREASE_QUOTA_NAME (disabled)


• 
  SE_LOAD_DRIVER_NAME (disabled)


• 
  SE_LOCK_MEMORY_NAME (enabled)


• 
  SE_MANAGE_VOLUME_NAME (disabled)


• 
  SE_PROF_SINGLE_PROCESS_NAME (enabled)


• 
  SE_RESTORE_NAME (disabled)


• 
  SE_SECURITY_NAME (disabled)


• 
  SE_SHUTDOWN_NAME (disabled)


• 
  SE_SYSTEM_ENVIRONMENT_NAME (disabled)


• 
  SE_SYSTEMTIME_NAME (disabled)


• 
  SE_TAKE_OWNERSHIP_NAME (disabled)


• 
  SE_TCB_NAME (enabled)


• 
  SE_UNDOCK_NAME (disabled)

For more specific information about how LocalSystem accounts work visit this link

NetworkService

• 
  SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


• 
  SE_AUDIT_NAME (disabled)


• 
  SE_CHANGE_NOTIFY_NAME (enabled)


• 
  SE_CREATE_GLOBAL_NAME (enabled)


• 
  SE_IMPERSONATE_NAME (enabled)


• 
  SE_INCREASE_QUOTA_NAME (disabled)


• 
  SE_SHUTDOWN_NAME (disabled)


• 
  SE_UNDOCK_NAME (disabled)


• Any privileges assigned to users and authenticated users

For more specific information about how NetworkService accounts work visit this link

LocalService

• 
  SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


• 
  SE_AUDIT_NAME (disabled)


• 
  SE_CHANGE_NOTIFY_NAME (enabled)


• 
  SE_CREATE_GLOBAL_NAME (enabled)


• 
  SE_IMPERSONATE_NAME (enabled)


• 
  SE_INCREASE_QUOTA_NAME (disabled)


• 
  SE_SHUTDOWN_NAME (disabled)


• 
  SE_UNDOCK_NAME (disabled)


• Any privileges assigned to users and authenticated users

For more specific information about how LocalService accounts work visit this link

Why does Gremlin need this type of access? 

We understand that it's risky giving any application this type of access to your system, but in order for Gremlin to run attacks successfully, it's important that our agent is given the correct account type. For example, our time travel attack needs to be granted the SE_SYSTEMTIME_NAME, and our deadman switch needs access to SE_TAKE_OWNERSHIP_NAME. WIthout a LocalSystem account we also wouldn't be able to run disk attacks because it includes the the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs.