From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Get-ProcessTokenPrivilege.md | 131 ++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100755 docs/Privesc/Get-ProcessTokenPrivilege.md (limited to 'docs/Privesc/Get-ProcessTokenPrivilege.md') diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 0000000..9f835f2 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege + +## SYNOPSIS +Returns all privileges for the current (or specified) process ID. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenPrivilege [[-Id] ] [-Special] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current privileges for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 2600 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600 + SeUndockPrivilege DISABLED 2600 +SeIncreaseWorkingSetPrivilege DISABLED 2600 + SeTimeZonePrivilege DISABLED 2600 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege -Special +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeSecurityPrivilege DISABLED 2444 +SeTakeOwnershipPrivilege DISABLED 2444 +SeBackupPrivilege DISABLED 2444 +SeRestorePrivilege DISABLED 2444 +SeSystemEnvironmentPriv... +DISABLED 2444 +SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenPrivilege | fl +``` + +Privilege : SeShutdownPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeChangeNotifyPrivilege +Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +ProcessId : 2640 + +Privilege : SeUndockPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeIncreaseWorkingSetPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeTimeZonePrivilege +Attributes : DISABLED +ProcessId : 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Special +Switch. +Only return 'special' privileges, meaning admin-level privileges. +These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, +SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Privileged + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + -- cgit v1.2.3