Description
The Get-System cmdlet attempts to acquire NT AUTHORITY\SYSTEM privileges through one of several techniques.
Overview
The Get-System cmdlet attempts to acquire NT AUTHORITY\SYSTEM privileges through one of several techniques. These techniques require Administrator privilges. It looks through existing tokens stored in TokenManager for a “SYSTEM” token, if one is not found, it searches through existing processes and returns a match if avaliable.
Dependencies
- credentials
Operating Systems
- Windows
Pre-Requisites
- High Integrity process.
Example Text
Name : SYSTEM
Domain : NT AUTHORITY
SID : S-1-5-18
Groups : {BUILTIN\Administrators, Everyone, NT AUTHORITY\Authenticated Users}
Scope : Local
Type : TokenPrimary
Privileges : {@{Name=SeAssignPrimaryTokenPrivilege; Attributes=None}, @{Name=SeLockMemoryPrivilege; Attributes=UsedForAccess}, @{Name=SeIncreaseQuotaPrivilege; Attributes=None}, @{Name=SeTcbPrivilege; Attributes=UsedForAccess}…}
IsAdministrator : True
Example Json
{
"Name": "SYSTEM",
"Domain": "NT AUTHORITY",
"SID": "S-1-5-18",
"Groups": [
"BUILTIN\\Administrators",
"Everyone",
"NT AUTHORITY\\Authenticated Users"
],
"Scope": "Local",
"Type": "TokenPrimary",
"Privileges": [
{
"Name": "SeAssignPrimaryTokenPrivilege",
"Attributes": "None"
},
{
"Name": "SeLockMemoryPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeIncreaseQuotaPrivilege",
"Attributes": "None"
},
{
"Name": "SeTcbPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeSecurityPrivilege",
"Attributes": "None"
},
{
"Name": "SeTakeOwnershipPrivilege",
"Attributes": "None"
},
{
"Name": "SeLoadDriverPrivilege",
"Attributes": "None"
},
{
"Name": "SeSystemProfilePrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeSystemtimePrivilege",
"Attributes": "None"
},
{
"Name": "SeProfileSingleProcessPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeIncreaseBasePriorityPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeCreatePagefilePrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeCreatePermanentPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeBackupPrivilege",
"Attributes": "None"
},
{
"Name": "SeRestorePrivilege",
"Attributes": "None"
},
{
"Name": "SeShutdownPrivilege",
"Attributes": "None"
},
{
"Name": "SeDebugPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeAuditPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeSystemEnvironmentPrivilege",
"Attributes": "None"
},
{
"Name": "SeChangeNotifyPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeUndockPrivilege",
"Attributes": "None"
},
{
"Name": "SeManageVolumePrivilege",
"Attributes": "None"
},
{
"Name": "SeImpersonatePrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeCreateGlobalPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeIncreaseWorkingSetPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeTimeZonePrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeCreateSymbolicLinkPrivilege",
"Attributes": "UsedForAccess"
},
{
"Name": "SeDelegateSessionUserImpersonatePrivilege",
"Attributes": "UsedForAccess"
}
],
"IsAdministrator": true
}