By using security tokens located in process memory it's possible to escalate privileges from limited service account, such as Network Service or Microsoft SQL Service account.
vulners.com/securityvulns/securityvulns:doc:12747
vulners.com/securityvulns/securityvulns:doc:12748
vulners.com/securityvulns/securityvulns:doc:12749
vulners.com/securityvulns/securityvulns:doc:12750