Skip to content

Steal a primary token and spawn cmd.exe using the stolen token

Notifications You must be signed in to change notification settings

slyd0g/PrimaryTokenTheft

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 

Repository files navigation

PrimaryTokenTheft

Main code taken from @kondecuotas blog.

Steal a primary token and spawn cmd.exe using the stolen token.

  • Added the ability to pass a PID by command-line argument.
  • Automatically enable SeDebugPrivilege.
  • Reduced privileges needed for OpenProcess(), OpenProcessToken() and DuplicateTokenEx() from TOKEN_ALL_ACCESS/PROCESS_ALL_ACCESS to the bare minimum needed for each API call.
  • Will also use ImpersonatedLoggedOnUser() to impersonate the logged-on user in the current thread.

Blogpost

Elevating to SYSTEM

GetSystem

Credit

Main blog and source code: https://ired.team/offensive-security/privilege-escalation/t1134-access-token-manipulation

Elevating to system with Winlogon: https://twitter.com/monoxgas/status/1109892490566336512?s=20

Figured out minimum privileges to call DuplicateTokenEx() with for CreateProcessWithTokenW to work here: https://stackoverflow.com/questions/5447418/why-is-createprocesswithtokenw-failing-with-error-access-denied (MSDN docs are wrong)

MSDN Enabling Privileges: https://docs.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

About

Steal a primary token and spawn cmd.exe using the stolen token

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages