Which Windows Service User Account Is Right For Gremlin?

Created by Jamie Martin, Modified on Tue, 18 Oct 2022 at 04:49 PM by Jamie Martin

Which Account


Gremlin requires a LocalSystem account because of the unrestricted access that our agent needs to run attacks on customer systems. If the Gremlin Agent is installed using anything other than LocalSystem account, we cannot guarantee that the agent will work properly. 


Different Types of Accounts 


Windows based systems are given the option to use three types of accounts for security: LocalSystem, NetworkService and LocalService. All three of these account types performs work as a user account. Visit this link to gain a better understanding of how Microsoft allows you to modify the credentials for these accounts. Below you can see the differences in permissions each account is given.


LocalSystem




  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


  • SE_AUDIT_NAME (enabled)


  • SE_BACKUP_NAME (disabled)


  • SE_CHANGE_NOTIFY_NAME (enabled)


  • SE_CREATE_GLOBAL_NAME (enabled)


  • SE_CREATE_PAGEFILE_NAME (enabled)


  • SE_CREATE_PERMANENT_NAME (enabled)


  • SE_CREATE_TOKEN_NAME (disabled)


  • SE_DEBUG_NAME (enabled)


  • SE_IMPERSONATE_NAME (enabled)


  • SE_INC_BASE_PRIORITY_NAME (enabled)


  • SE_INCREASE_QUOTA_NAME (disabled)


  • SE_LOAD_DRIVER_NAME (disabled)


  • SE_LOCK_MEMORY_NAME (enabled)


  • SE_MANAGE_VOLUME_NAME (disabled)


  • SE_PROF_SINGLE_PROCESS_NAME (enabled)


  • SE_RESTORE_NAME (disabled)


  • SE_SECURITY_NAME (disabled)


  • SE_SHUTDOWN_NAME (disabled)


  • SE_SYSTEM_ENVIRONMENT_NAME (disabled)


  • SE_SYSTEMTIME_NAME (disabled)


  • SE_TAKE_OWNERSHIP_NAME (disabled)


  • SE_TCB_NAME (enabled)


  • SE_UNDOCK_NAME (disabled)


For more specific information about how LocalSystem accounts work visit this link


NetworkService




  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


  • SE_AUDIT_NAME (disabled)


  • SE_CHANGE_NOTIFY_NAME (enabled)


  • SE_CREATE_GLOBAL_NAME (enabled)


  • SE_IMPERSONATE_NAME (enabled)


  • SE_INCREASE_QUOTA_NAME (disabled)


  • SE_SHUTDOWN_NAME (disabled)


  • SE_UNDOCK_NAME (disabled)

  • Any privileges assigned to users and authenticated users


For more specific information about how NetworkService accounts work visit this link


LocalService




  • SE_ASSIGNPRIMARYTOKEN_NAME (disabled)


  • SE_AUDIT_NAME (disabled)


  • SE_CHANGE_NOTIFY_NAME (enabled)


  • SE_CREATE_GLOBAL_NAME (enabled)


  • SE_IMPERSONATE_NAME (enabled)


  • SE_INCREASE_QUOTA_NAME (disabled)


  • SE_SHUTDOWN_NAME (disabled)


  • SE_UNDOCK_NAME (disabled)

  • Any privileges assigned to users and authenticated users


For more specific information about how LocalService accounts work visit this link


Why does Gremlin need this type of access? 


We understand that it's risky giving any application this type of access to your system, but in order for Gremlin to run attacks successfully, it's important that our agent is given the correct account type. For example, our time travel attack needs to be granted the SE_SYSTEMTIME_NAME, and our deadman switch needs access to SE_TAKE_OWNERSHIP_NAME. WIthout a LocalSystem account we also wouldn't be able to run disk attacks because it includes the the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs. 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article