15Eyl
Administrator escalating to SYSTEM in the normal course of things
I am learning about interacting with Kerberos from a programming standpoint and have been recreating some of Rubeus's functions as a way of learning (because what better open source program is there that deals with Kerberos and tickets). One thing that I found out during my journey is that to interact with the Kerberos ticket cache it is not enough to be Administrator by you must be SYSTEM.
This raised the question - how often would an Administrator need to escalate to SYSTEM during the normal course things? I am looking at this from an AV/EDR evasion standpoint. I know how Rubeus does it (steals the token from winlogon.exe) but I'm curious how loud this is in and of itself?