Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/yusufqk/SystemToken
Steal privileged token to obtain SYSTEM shell
https://github.com/yusufqk/SystemToken
Last synced: 3 months ago
JSON representation
Steal privileged token to obtain SYSTEM shell
- Host: GitHub
- URL: https://github.com/yusufqk/SystemToken
- Owner: yusufqk
- Created: 2020-04-06T19:28:08.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-07-14T06:30:49.000Z (over 4 years ago)
- Last Synced: 2024-04-12T18:04:10.483Z (7 months ago)
- Language: C
- Homepage:
- Size: 3.91 KB
- Stars: 245
- Watchers: 6
- Forks: 59
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - yusufqk/SystemToken - Steal privileged token to obtain SYSTEM shell (C)
README
# SystemToken
This code will iterate over all processes on a system until it reaches a process with
the following traits:* The user for that process is SYSTEM
* The owner for that process is AdministratorsOnce a process is found with these two traits, the token for that process is duplicated and
a new process with that token is created. This will result in a SYSTEM shell.## System Requirements
This code was tested on a Windows 10 x64 machine using Visual Studio 2019.
Must be run with UAC bypassed and Local Admin privileges.## Usage
Compile and run SystemToken.exe
## References
This work is based on the research done by [Justin Bui from SpecterOps](https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b)
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
Windows API exploitation at PentesterAcademy (amazing course, learned alot). The EnablePriv.h file used to enable privileges (no longer provided and never used by this tool) is a modified version from the course.