SeTakeOwnership
Administrators - SeTakeOwnershipPrivilegeSeTakeOwnership Privilege allows a user to take Ownership of any Object on the System, Including Files and Registry Keys.
Abusing Utilman
Utilman is a Built-In Windows Application used to provide Ease Of Access options during the Lock Screen. Utilman runs with SYSTEM Privileges, we will effectively gain SYSTEM Privileges if we Replace the Original Binary with any PAYLOAD.
To replace Utilman, we need to Take Ownership of it with the Following Command.
takeown /f C:\Windows\System32\utilman.exe
After taking Ownership of the File we can give our User Full Permissions over Utilman.
icacls C:\Windows\System32\utilman.exe /grant <Username>:F
Replacing Utilman with a copy of cmd.exe. After that to trigger Utilman we click Ease of Access Button from the Lock Screen.
copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe