security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc495c1192fda69bd1ed33a13d7590ef055eee09
atomic-red-team/atomics/T1134/T1134.yaml
T
caseysmithrc 7d2d934f32 yamled
2018-05-24 17:52:48 -06:00

27 lines
686 B
YAML
Raw Blame History

---
attack_technique: T1134
display_name: Access Token Manipulation
atomic_tests:
- name: Access Token Manipulation
description: |
Creates a process as another user
Requires Administrator Privileges To Execute Test
supported_platforms:
- windows
input_arguments:
target_user:
description: Username To Steal Token From
type: String
default: SYSTEM
executor:
name: powershell
command: |
#list processes by user,
$owners = @{}
gwmi win32_process |% {$owners[$_.handle] = $_.getowner().user}
get-process | select processname,Id,@{l="Owner";e={$owners[$_.id.tostring()]}}
#Steal Token
. .\src\T1134.ps1
Reference in New Issue View Git Blame Copy Permalink