Levelsecondarylogon
secondarylogon 时间:2021-02-26 阅读:()
ReadingyourwayaroundUACAbusingAccessTokensforUACBypassesJamesForshaw@tiraniddoWhyAdmin-ApprovalUACisevenworsethanyouthought!
WhyOver-the-ShoulderUACisstillworsethanyouthought!
WhatI'mGoingtoTalkAboutUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"UACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"consent.
exeUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationApplicationShellExecute"runas"LinkedTokensLinkedTokensDeny-OnlyGroupsLinkAlsoFewerPrivilegesLinkTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsKernelObjectLoginSidNon-AdminTokenGroupsAdminTokenDACLKernelNtUserGetClipboardTokenWin32kUACAdminProcessWritetoClipboardCapturedTokenNon-AdminProcessKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessNtUserGetClipboardTokenKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessOpenedforreadClipboardTokenRead-onlyaccessCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelHighIL!
=AdministratorCreateandmodifyfilesinsystemlocationsCreateandmodifysystemservicesOpen>=highILprocessesforR/WInteractwith>=highILWindows(UIPI)No"God"PrivilegesPrivilegePossiblePrivilegedOperationsSeCreateTokenPrivilegeCreatenewtokenobjectsSeTcbPrivilegeManyandvariedprivilegedoperationsSeLoadDriverPrivilegeLoadadriverintothekernelSeDebugPrivilegeBypassprocess/threadsecuritychecksSeBackupPrivilegeBypassfile/keysecuritychecksforreadSeRestorePrivilegeBypassfile/keysecuritychecksforwriteSeImpersonatePrivilegeImpersonatearbitraryusersThefollowingarenotallowedtobeenabledforaMediumILtoken.
StealingTokensOpenProcessTokenWeonlyhaveQueryLimitedInformationOnlyLimitedInformationStartanElevatedProcessStandardauto-elevationofspecificMSbinaries.
ScheduledTasksIfsetwillspawnelevatedprocesswithnoUACprompt.
DEMOChangesinWindows10TokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserElevationCheckCapabilityCheckElevationChecksif(SeTokenIsElevated(ImpersonationToken)){if(!
SeTokenIsElevated(ProcessToken)||ProcessToken->LogonSession->Flags.
UacSession){returnSTATUS_PRIVILEGE_NOT_HELD;}}//Continuewithimpersonationcheck.
WhatMakesaTokenElevatedBOOLEANRtlIsElevatedRid(SID_AND_ATTRIBUTES*sid_and_attr){DWORDlast_rid=GetLastRid(sid_and_attr->Sid);DWORDcheck_rids[]={512,544,.
.
.
};for(inti=0;i=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatinganOTSTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelCapabilityCheckCapabilityCheckBOOLEANSepIsImpersonationAllowedDueToCapability(PTOKENtoken,PTOKENimp_token){if((token->SessionId!
=imp_token->SessionId)||(token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)||(imp_token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)){returnFALSE;}if(!
SepSidInTokenSidHash(&token->CapabilitiesHash,SeConstrainedImpersonationCapabilitySid)||!
SepCheckCapabilities(token,imp_token->Capabilities)||!
RtlEqualSid(token->Package,imp_token->Package)){returnFALSE;}returnTRUE;}TokensmustbeinsameSessionandbothbeLowBox.
Processtokenmusthaveimpersonationcapability,andbeinsamepackage.
EnterpriseAuthenticationDEMOIsAnythingSafeHitCTRL+ALT+DELandclickAdmin-ApprovalUACisbrokenOver-the-sholderUACisprettybrokenonWindows10Bestchanceyouhaveisfast-userswitchingDon'tswitchusingExplorer,alwaysusethesecureattentionsequenceConclusionsAnyQuestionsThanks
WhyOver-the-ShoulderUACisstillworsethanyouthought!
WhatI'mGoingtoTalkAboutUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"UACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationShellExecute"runas"consent.
exeUACArchitectureAppInfoServiceRPCLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YApplicationApplicationShellExecute"runas"LinkedTokensLinkedTokensDeny-OnlyGroupsLinkAlsoFewerPrivilegesLinkTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsTheProblemwithUACLimitedUserLogonSessionAuthentication-ID=A-BElevatedUserLogonSessionAuthentication-ID=X-YNon-AdminApplicationAdminApplicationCurrentUserRegistryHiveUserProfileDirectoryDesktopandKernelObjectsKernelObjectLoginSidNon-AdminTokenGroupsAdminTokenDACLKernelNtUserGetClipboardTokenWin32kUACAdminProcessWritetoClipboardCapturedTokenNon-AdminProcessKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessNtUserGetClipboardTokenKernelNtUserGetClipboardTokenWin32kUACAdminProcessCapturedTokenNon-AdminProcessOpenedforreadClipboardTokenRead-onlyaccessCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORCreatingaNewProcessParentTokenSiblingTokenProcessTokenTokenIDAssignedTokenParentTokenIDEqualProcessTokenParentTokenIDAuthIDAssignedTokenParentTokenIDAuthIDEqualEqualORImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatingaTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelHighIL!
=AdministratorCreateandmodifyfilesinsystemlocationsCreateandmodifysystemservicesOpen>=highILprocessesforR/WInteractwith>=highILWindows(UIPI)No"God"PrivilegesPrivilegePossiblePrivilegedOperationsSeCreateTokenPrivilegeCreatenewtokenobjectsSeTcbPrivilegeManyandvariedprivilegedoperationsSeLoadDriverPrivilegeLoadadriverintothekernelSeDebugPrivilegeBypassprocess/threadsecuritychecksSeBackupPrivilegeBypassfile/keysecuritychecksforreadSeRestorePrivilegeBypassfile/keysecuritychecksforwriteSeImpersonatePrivilegeImpersonatearbitraryusersThefollowingarenotallowedtobeenabledforaMediumILtoken.
StealingTokensOpenProcessTokenWeonlyhaveQueryLimitedInformationOnlyLimitedInformationStartanElevatedProcessStandardauto-elevationofspecificMSbinaries.
ScheduledTasksIfsetwillspawnelevatedprocesswithnoUACprompt.
DEMOChangesinWindows10TokenLevel==IdentificationProcesshasImpersonatePrivilegeALLOWEDRestricttoIdentificationLevelProcessIL>=TokenILProcessUser==TokenUserElevationCheckCapabilityCheckElevationChecksif(SeTokenIsElevated(ImpersonationToken)){if(!
SeTokenIsElevated(ProcessToken)||ProcessToken->LogonSession->Flags.
UacSession){returnSTATUS_PRIVILEGE_NOT_HELD;}}//Continuewithimpersonationcheck.
WhatMakesaTokenElevatedBOOLEANRtlIsElevatedRid(SID_AND_ATTRIBUTES*sid_and_attr){DWORDlast_rid=GetLastRid(sid_and_attr->Sid);DWORDcheck_rids[]={512,544,.
.
.
};for(inti=0;i=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelImpersonatinganOTSTokenTokenLevel==IdentificationProcesshasImpersonatePrivilegeProcessIL>=TokenILProcessUser==TokenUserALLOWEDRestricttoIdentificationLevelCapabilityCheckCapabilityCheckBOOLEANSepIsImpersonationAllowedDueToCapability(PTOKENtoken,PTOKENimp_token){if((token->SessionId!
=imp_token->SessionId)||(token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)||(imp_token->TokenFlags&TOKEN_FLAGS_LOWBOX)==0)){returnFALSE;}if(!
SepSidInTokenSidHash(&token->CapabilitiesHash,SeConstrainedImpersonationCapabilitySid)||!
SepCheckCapabilities(token,imp_token->Capabilities)||!
RtlEqualSid(token->Package,imp_token->Package)){returnFALSE;}returnTRUE;}TokensmustbeinsameSessionandbothbeLowBox.
Processtokenmusthaveimpersonationcapability,andbeinsamepackage.
EnterpriseAuthenticationDEMOIsAnythingSafeHitCTRL+ALT+DELandclickAdmin-ApprovalUACisbrokenOver-the-sholderUACisprettybrokenonWindows10Bestchanceyouhaveisfast-userswitchingDon'tswitchusingExplorer,alwaysusethesecureattentionsequenceConclusionsAnyQuestionsThanks
- Levelsecondarylogon相关文档
- additionalsecondarylogon
- settingsecondarylogon
- Logoffstatusmessagessecondarylogon
- POSIXsecondarylogon
- secondarylogon魔兽世界下载器不动Secondary Logon 在哪?
- secondarylogonSecondary Logon 等等是什么意思?
丽萨主机:美国CN2 GIA精品网/KVM/9折,美国原生IP,最低27元/月
丽萨主机怎么样?丽萨主机,团队于2017年成立。成立之初主要做的是 CDN 和域名等相关业务。最近开辟新领域,新增了独立服务器出租、VPS 等业务,为了保证业务质量从一开始就选择了中美之间的 CN2 GIA 国际精品网络,三网回程 CN2 GIA,电信去程 CN2 GIA + BGP 直连智能路由,联通移动去程直连,原生IP。适合对网络要求较高的用户,同时价格也比较亲民。点击进入:丽萨主机官方网站...
Hostio€5/月KVM-2GB/25GB/5TB/荷兰机房
Hostio是一家成立于2006年的国外主机商,提供基于KVM架构的VPS主机,AMD EPYC CPU,NVMe硬盘,1-10Gbps带宽,最低月付5欧元起。商家采用自己的网络AS208258,宿主机采用2 x AMD Epyc 7452 32C/64T 2.3Ghz CPU,16*32GB内存,4个Samsung PM983 NVMe SSD,提供IPv4+IPv6。下面列出几款主机配置信息。...
inux国外美老牌PhotonVPS月$2.5 ,Linux系统首月半价
PhotonVPS 服务商我们是不是已经很久没有见过?曾经也是相当的火爆的,我们中文习惯称作为饭桶VPS主机商。翻看之前的文章,在2015年之前也有较多商家的活动分享的,这几年由于服务商太多,乃至于有一些老牌的服务商都逐渐淡忘。这不有看到PhotonVPS商家发布促销活动。PhotonVPS 商家七月份推出首月半价Linux系统VPS主机,首月低至2.5美元,有洛杉矶、达拉斯、阿什本机房,除提供普...
secondarylogon为你推荐
-
站长故事科学家的故事200字中小企业信息化信息化为中小企业发展带来了哪些机遇硬盘人500G的硬盘容量是多少啊?开机滚动条电脑开机滚动条要走好几次xv播放器下载除了迅雷看看播放器还有什么播放器支持xv格式的视频?迅雷云点播账号求一个迅雷云点播vip的账号,只是看的,绝不动任何手脚。人人逛街人人都喜欢逛街吗宕机宕机是什么意思?什么是云平台谁能简单说一下什么是云平台啊?发邮件怎么发如何发邮件?