-
Notifications
You must be signed in to change notification settings - Fork 198
Stealing Tokens
Synopsis: Automatically steal a SYSTEM token, optionally start a new process with it. If SeDebugPrivilege is not available, creates, starts, and deletes a service and steals the service's token it via a named pipe
Mandatory Parameters: -
Optional Parameters: Process ID, Command
Examples:
(Tokens) > GetSystem
(Tokens) > GetSystem /Command:regedit.exe
P/Invokes:
SeDebugPrivilege Available:
OpenProcessToken, LookupPrivilegeValue, AdjustTokenPrivileges, OpenProcess, OpenProcessToken, CloseHandle, GetTokenInformation, LsaGetLogonSessionData
SeDebugPrivilege Not Available:
CreateNamedPipeA, ConnectNamedPipe, OpenSCManager, CreateService, OpenService, StartService, ControlService, DeleteService, CloseServiceHandle, CloseHandle, ReadFile, ImpersonateNamedPipeClient, OpenThreadToken, NtDuplicateToken, DisconnectNamedPipe
Create Process
DuplicateTokenEx, CreateProcessWithLogonW | CreateProcessWithTokenW
Impersonate
DuplicateTokenEx, ImpersonateLoggedOnUser
Synopsis: Automatically steal a SYSTEM token with the TRUSTED INSTALLER group token, optionally start a new process with it
Mandatory Parameters: -
Optional Parameters: Command
Examples:
(Tokens) > GetTrustedInstaller
(Tokens) > GetTrustedInstaller /Command:regedit.exe
P/Invokes: OpenProcess, OpenProcessToken, CloseHandle, DuplicateTokenEx
Create Process
CreateProcessWithLogonW | CreateProcessWithTokenW
Impersonate
ImpersonateLoggedOnUser
Synopsis: Steal the primary token from a process, optionally start a new process with it
Mandatory Parameters: Process ID or Process Name
Optional Parameters: Command
Examples:
(Tokens) > Steal_Token /Process:1008
(Tokens) > Steal_Token /Process:calc /Command:regedit.exe
(Tokens) > Steal_Token /Process:1008 /Command:regedit.exe
P/Invokes: OpenProcessToken, LookupPrivilegeValue, AdjustTokenPrivileges, OpenProcess, OpenProcessToken, CloseHandle, DuplicateTokenEx
Create Process
CreateProcessWithLogonW | CreateProcessWithTokenW
Impersonate
ImpersonateLoggedOnUser
Synopsis: Creates a named pipe, and steals the connecting processes token after it attempts to write to the pipe
Mandatory Parameters: Pipe Name
Optional Parameters: Command
Examples:
(Tokens) > Steal_Pipe_Token /PipeName:RandomPipeName
(Tokens) > Steal_Pipe_Token /PipeName:RandomPipeName /Command:regedit.exe
P/Invokes: CreateNamedPipeA, ConnectNamedPipe, ReadFile, ImpersonateNamedPipeClient, OpenThreadToken, NtDuplicateToken, DisconnectNamedPipe, CloseHandle
Create Process
CreateProcessWithLogonW | CreateProcessWithTokenW
Impersonate
ImpersonateLoggedOnUser
Synopsis: Bypasses UAC via stealing the token from a high integrity process owned by the current user
Mandatory Parameters: Command
Optional Parameters: Process ID
Examples:
(Tokens) > BypassUAC regedit.exe
(Tokens) > BypassUAC 1008 regedit.exe
P/Invokes: OpenProcessToken, OpenProcess, CloseHandle, DuplicateTokenEx, AllocateAndInitializeSid, NtSetInformationToken, NtFilterToken, FreeSid, ImpersonateLoggedOnUser, CreateProcessWithLogonW, RevertToSelf
Synopsis: Displays the user the process is currently operating as
Mandatory Parameters: -
Optional Parameters: -
Examples:
(Tokens) > WhoAmI
P/Invokes: -
Synopsis: Displays more detailed information about the current token, e.g. groups and owner
Mandatory Parameters: -
Optional Parameters: -
Examples:
(Tokens) > Info
(Tokens) > Info /all
P/Invokes: GetCurrentProcess | OpenProcess, OpenProcessToken, GetTokenInformation, ConvertSidToStringSid
Synopsis: Stops impersonating a token
Mandatory Parameters: -
Optional Parameters: -
Examples:
(Tokens) > RevertToSelf
P/Invokes: RevertToSelf