remote-system-shutdown: Remote System Forced Shutdown Privilege Check

日期: 2025-08-01 | 影响软件: remote system shutdown | POC: 已公开

漏洞描述

Ensure the "Force shutdown from a remote system" policy (SeRemoteShutdownPrivilege) is assigned only to the Administrators group (SID: S-1-5-32-544). Granting this privilege to unauthorized accounts can allow attackers to remotely shut down the system, posing a significant risk.

PoC代码[已公开]

id: remote-system-shutdown

info:
  name: Remote System Forced Shutdown Privilege Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the "Force shutdown from a remote system" policy (SeRemoteShutdownPrivilege) is assigned only to the Administrators group (SID: S-1-5-32-544). Granting this privilege to unauthorized accounts can allow attackers to remotely shut down the system, posing a significant risk.
  impact: |
    Granting this privilege to accounts or groups other than Administrators can be exploited to carry out unauthorized remote shutdowns, resulting in service disruptions or denial-of-service conditions.
  remediation: |
    Configure the policy to grant the SeRemoteShutdownPrivilege exclusively to the Administrators group by setting its value to S-1-5-32-544 only.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: policy,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      # Export the current security settings to a configuration file.
      $cfgPath = "C:\cfg.txt"
      secedit /export /cfg $cfgPath | Out-Null
      # Read the exported configuration file.
      $cfg = Get-Content $cfgPath | Out-String
      # Extract the SeRemoteShutdownPrivilege value.
      if ($cfg -match "SeRemoteShutdownPrivilege\s*=\s*(.*)") {
          $privs = $Matches[1].Trim()
          # Check if only the Administrators SID (S-1-5-32-544) is present.
          if ($privs -eq "S-1-5-32-544") {
              "REMOTE_SHUTDOWN_PRIVILEGE_COMPLIANT"
          } else {
              "REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"
          }
      } else {
          "REMOTE_SHUTDOWN_PRIVILEGE_NOT_FOUND"
      }

    matchers:
      - type: word
        words:
          - "REMOTE_SHUTDOWN_PRIVILEGE_VULNERABLE"
# digest: 490a004630440220036867acb4067c5a103c2ebd6f8b8c3afc113f9c35cffdf696aa7951ab6eca3d022073e3c70aef90e0785eada52c27726cabdfe0020fd19de73994062f43744f8601:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./code/windows/audit/kisa/remote-system-shutdown.yaml