From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Get-ProcessTokenGroup.md | 114 ++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100755 docs/Privesc/Get-ProcessTokenGroup.md (limited to 'docs/Privesc/Get-ProcessTokenGroup.md') diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 0000000..e52533c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup + +## SYNOPSIS +Returns all SIDs that the current token context is a part of, whether they are disabled or not. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenGroup [[-Id] ] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current token groups for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-16-8192 1372 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-16-8192 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3