You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Windows 10 breaks the current version of Invoke-TokenManipulation.ps1 because wininit is now a protected processes. Rather than hardcoding to a specific process to obtain a SYSTEM token, it's better to enumerate all processes running as SYSTEM and find one that works. I have updated the script to version 1.12 and added logic on lines 1689-1696 to make sure it can successfully grab a SYSTEM token necessary to function.
Copy file name to clipboardExpand all lines: Exfiltration/Invoke-TokenManipulation.ps1
+11-4Lines changed: 11 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -49,8 +49,8 @@ Author: Joe Bialek, Twitter: @JosephBialek
49
49
License: BSD 3-Clause
50
50
Required Dependencies: None
51
51
Optional Dependencies: None
52
-
Version: 1.11
53
-
(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune Mariboe, https://www.linkedin.com/in/runemariboe)
52
+
Version: 1.12
53
+
(1.11 -> 1.12: Simple logic added by Josh M. Bryant to find an unprotected process to grab a SYSTEM token from, rather than hardcoding to wininit, https://www.fixtheexchange.com/)
54
54
55
55
.DESCRIPTION
56
56
@@ -1685,8 +1685,15 @@ Blog on this script: http://clymb3r.wordpress.com/2013/11/03/powershell-and-toke
1685
1685
$AllTokens=@()
1686
1686
1687
1687
#First GetSystem. The script cannot enumerate all tokens unless it is system for some reason. Luckily it can impersonate a system token.
1688
-
#Even if already running as system, later parts on the script depend on having a SYSTEM token with most privileges, so impersonate the wininit token.
0 commit comments