Windows services are particular processes that run in a separate Session and without user interaction. For security reasons, many of these services run under dedicated and less privileged accounts (WSH).
But those accounts usually holds impersonation privileges that can be also abused under certain conditions, for instance the well known DCOM/NTLM reflection.
Even if some techniques in order to exploit the reflection, such as the Rotten/JuicyPotato exploit, have been addressed in latest Windows versions, we will show how is still possible, if some preconditions are met, to escalate privileges to SYSTEM, starting from a service account. This is a story of how an old exploit, after some dead ends and epic fails (which will be detailed), lead us to a new vulnerability! In the final part of the presentation we will also suggest some mitigations on this attack vector (classified as Won’t fix by MS) and more some mitigations on generic windows service accounts too.