### Get Accessible Processes with Get-NtProcess Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves all accessible NT process objects from the system. Use this to start enumerating processes. ```powershell # Get all accessible processes $processes = Get-NtProcess ``` -------------------------------- ### Get Processes by Name with Get-NtProcess Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves processes by their executable name. This is a convenient way to find specific running applications. ```powershell # Get processes by name $notepad = Get-NtProcess -Name "notepad.exe" ``` -------------------------------- ### Get LSA Authentication Packages Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Use Get-LsaPackage to retrieve a list of available authentication packages from the Local Security Authority (LSA). ```powershell $packages = Get-LsaPackage ``` -------------------------------- ### Get Token from Specific Process Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens the primary access token for a specified process. Requires the process to be opened first or specified by its ID. ```powershell # Get token from specific process $proc = Get-NtProcess -ProcessId 1234 $token = Get-NtToken -Primary -Process $proc ``` -------------------------------- ### Get Environment Variables from a Process Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves all environment variables for a specified process. Can also retrieve a specific variable by name. ```powershell # Get environment variables from a process $env = Get-NtProcessEnvironment -ProcessId 1234 $tempPath = Get-NtProcessEnvironment -ProcessId 1234 -Name "TMP" ``` -------------------------------- ### Get Process Mitigations for All Processes Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves security mitigation policies for all accessible processes on the system. This provides a system-wide overview of security settings. ```powershell # Get mitigations for all accessible processes $mitigations = Get-NtProcessMitigations ``` -------------------------------- ### Get Process by ID and Access Rights Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves a specific process by its ID and opens it with specified access rights. Useful for targeted analysis and accessing process properties like CommandLine and FullPath. ```powershell # Get process by ID with specific access rights $proc = Get-NtProcess -ProcessId 1234 -Access QueryInformation $proc.CommandLine # Returns: "C:\\Windows\\System32\\notepad.exe document.txt" $proc.FullPath # Returns: "\\Device\\HarddiskVolume3\\Windows\\System32\\notepad.exe" ``` -------------------------------- ### Get Current Process with Get-NtProcess Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves the current process object. This is useful for self-inspection or when the PID is not explicitly known. ```powershell # Get current process $current = Get-NtProcess -Current ``` -------------------------------- ### Get Token by Process ID Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens the primary access token for a process directly using its Process ID. A convenient shortcut for obtaining a process token. ```powershell # Get token by process ID directly $token = Get-NtToken -Primary -ProcessId 1234 ``` -------------------------------- ### Get Impersonation Token from Thread Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens the impersonation token associated with a specific thread. This is useful for analyzing thread-level impersonation contexts. ```powershell # Get impersonation token from thread $token = Get-NtToken -Impersonation -ThreadId 5678 ``` -------------------------------- ### Get Token with Specific Access Rights Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens an NT token with specified access rights. This allows for fine-grained control over token operations, such as adjusting privileges. ```powershell # Get token with specific access $token = Get-NtToken -Access AdjustPrivileges ``` -------------------------------- ### Get Parent Process with Get-NtProcess Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves the parent process of a given process ID. This helps in understanding process lineage and execution flow. ```powershell # Get parent process $parent = Get-NtProcess -ProcessId 1234 -OpenParent ``` -------------------------------- ### Get Process Mitigations by Process ID Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves security mitigation policies for processes specified by their Process IDs. Allows for targeted inspection of multiple processes. ```powershell # Get mitigations for specific PIDs $mit = Get-NtProcessMitigations -ProcessId 1234, 5678 ``` -------------------------------- ### Get User SID for a Process Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves the Security Identifier (SID) of the user context under which a process is running. Useful for identifying the owner of a process. ```powershell # Get user SID for a process $userSid = Get-NtProcessUser -ProcessId 1234 # Returns: S-1-5-21-xxx-xxx-xxx-1001 (DOMAIN\Username) ``` -------------------------------- ### Get Current Process Primary Token Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens the primary access token for the current process. This token represents the security context under which the current process is running. ```powershell # Get current process primary token $token = Get-NtToken -Primary ``` -------------------------------- ### Get Process Information Only Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves only process information without opening a handle to the process. This is useful for read-only operations where handle access is not required or desired. ```powershell # Get process information only (no handle) $info = Get-NtProcess -InfoOnly ``` -------------------------------- ### Get Process for a Windows Service Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves the process object associated with a specific Windows service name. Useful for analyzing service behavior. ```powershell # Get process for a Windows service $svcProc = Get-NtProcess -ServiceName "WebClient" ``` -------------------------------- ### Get Process Mitigations by Name Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves security mitigation policies for a specific process identified by its name. Useful for checking the security posture of individual applications. ```powershell # Get mitigations for specific process by name $edgeMit = Get-NtProcessMitigations -Name "MicrosoftEdgeCP.exe" ``` -------------------------------- ### Get Effective Token Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves the effective token, which is either the impersonation token if available, or the primary token of the process. Useful for determining the current security context. ```powershell # Get effective token (impersonation or primary) $effective = Get-NtToken -Effective ``` -------------------------------- ### Get Pseudo Token Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves a pseudo token object without opening an actual handle to an NT token. This is useful for operations that do not require a valid handle. ```powershell # Get pseudo token (no actual handle) $pseudo = Get-NtToken -Pseudo ``` -------------------------------- ### Calculate Granted Access Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Use Get-NtGrantedAccess to calculate granted access for a security descriptor and token. Get-NtAccessMask can be used to get or convert access masks for specific object types. ```powershell $access = Get-NtGrantedAccess -SecurityDescriptor $sd -Token $token ``` ```powershell $access = Get-NtGrantedAccess -SecurityDescriptor $sd -Token $token ` -Type File ``` ```powershell $mask = Get-NtAccessMask -FileAccess ReadData, WriteData ``` ```powershell $str = Get-NtAccessMask -AccessMask 0x1F01FF -Type File -AsString ``` -------------------------------- ### Get Processes with Specific Mitigation Enabled Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Filters processes to find those with a specific mitigation policy enabled, such as disallowing Win32k system calls. Useful for identifying processes with enhanced security. ```powershell # Get processes with specific mitigation enabled $protected = Get-NtProcess -FilterScript { $_.Mitigations.DisallowWin32kSystemCalls -eq $true } ``` -------------------------------- ### Token Creation Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Demonstrates various methods for creating and obtaining different types of Windows tokens. ```APIDOC ## Token Creation ### Description This section details how to create various types of tokens using the `Get-NtToken` cmdlet. ### Cmdlets - **Get-NtToken -Duplicate** - Creates a duplicate of the current token with specified impersonation levels. - **Get-NtToken -LowBox** - Creates a token suitable for a low-privilege sandbox environment (AppContainer). - **Get-NtToken -Filtered** - Creates a filtered token, often referred to as a LUA token, with restricted privileges. - **Get-NtToken -Anonymous** - Obtains an anonymous token. - **Get-NtToken -Logon** - Performs a user logon and returns a token for the authenticated user. - **Get-NtToken -S4U** - Performs a Kerberos S4U logon, which does not require the user's password. - **Get-NtToken -Session** - Retrieves a token associated with a specific logon session ID. ### Examples ```powershell # Create duplicate impersonation token $impToken = Get-NtToken -Duplicate -TokenType Impersonation -ImpersonationLevel Impersonation # Create lowbox (AppContainer) token $lowbox = Get-NtToken -LowBox -PackageSid "Application.Name" -CapabilitySid "internetClient", "privateNetworkClientServer" # Create filtered token (LUA token) $filtered = Get-NtToken -Filtered -Flags LuaToken # Create token with disabled SIDs $restricted = Get-NtToken -Filtered -SidsToDisable "WD", "BA" # Get anonymous token $anon = Get-NtToken -Anonymous # Logon and get token $logonToken = Get-NtToken -Logon -User "Bob" -Password "SecurePass123" -Domain "CONTOSO" -LogonType Interactive # S4U logon (no password required) $s4uToken = Get-NtToken -S4U -User "Bob" -Domain "CONTOSO" # Get session token $sessionToken = Get-NtToken -Session -SessionId 2 ``` ``` -------------------------------- ### Create Security Descriptors Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Initialize security descriptors from parent objects or Base64 encoded strings. ```powershell $sd = New-NtSecurityDescriptor -Parent $parentSd -Creator $creatorSd ` -Type Directory -IsContainer # Create from base64 $sd = New-NtSecurityDescriptor -Base64 "AQAUhBQAAAAgAAAA..." ``` -------------------------------- ### Manage LSA Credentials and Tickets Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for creating LSA contexts, retrieving access tokens, and managing Kerberos ticket caches. ```powershell # Create credential handle $cred = New-LsaCredentialHandle -Package "Negotiate" -UseFlag Outbound # Create client context $client = New-LsaClientContext -CredentialHandle $cred ` -Target "host/server.domain.com" # Create server context $server = New-LsaServerContext -CredentialHandle $cred # Get access token from context $token = Get-LsaAccessToken -Context $server # Get Kerberos tickets $tickets = Get-KerberosTicket # Export/Import ticket cache Export-KerberosTicketCache -Path "tickets.bin" Import-KerberosTicketCache -Path "tickets.bin" ``` -------------------------------- ### Token Information Display Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for formatting and displaying detailed token information, including launching GUI tools. ```APIDOC ## Token Information Display ### Description This section covers cmdlets for displaying detailed token information in various formats and launching the TokenViewer GUI. ### Cmdlets - **Show-NtTokenEffective** - Displays effective token information, similar to `whoami`, with options for detailed, basic, or specific sections. - **Format-NtToken** - Formats a given token object for display. - **Show-NtToken** - Launches the TokenViewer GUI or displays information about accessible tokens, optionally filtering by process ID, service name, or showing all tokens. - **Copy-NtToken** - Creates a copy of an existing token with specified impersonation levels or creates a primary token. - **Get-NtTokenFromProcess** - Retrieves a token from a specified process ID, typically using thread impersonation. ### Examples ```powershell # Show current effective token info (like whoami) Show-NtTokenEffective # Show all token details Show-NtTokenEffective -All # Show basic info (user, groups, privileges, integrity) Show-NtTokenEffective -Basic # Show specific sections Show-NtTokenEffective -User -Group -Privilege # Format a specific token Format-NtToken -Token $token -All # Launch TokenViewer GUI Show-NtToken -ProcessId 1234 Show-NtToken -All # Show all accessible tokens Show-NtToken -ServiceName "AppInfo" # Show service token # Copy token $copy = Copy-NtToken -Token $token -ImpersonationLevel Impersonation $primary = Copy-NtToken -Primary # Get token from process using thread impersonation $token = Get-NtTokenFromProcess -ProcessId 1234 ``` ``` -------------------------------- ### File Operations Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for creating, reading, and managing NT files and named pipes. ```APIDOC ## File Operations ### Description Create, read, and manage NT files. ### Open file ```powershell $file = Get-NtFile -Path "\??\C:\Windows\System32\kernel32.dll" ``` ### Create new file ```powershell $file = New-NtFile -Path "\??\C:\Temp\test.txt" -Access GenericWrite -Disposition CreateAlways ``` ### Open named pipe ```powershell $pipe = Get-NtNamedPipeFile -Path "\??\pipe\mypipe" ``` ### Create named pipe server ```powershell $pipe = New-NtNamedPipeFile -Path "\??\pipe\mypipe" -MaxInstances 1 ``` ### Read file ```powershell $data = Read-NtFile -File $file -Length 1024 ``` ### Write file ```powershell Write-NtFile -File $file -Data $bytes ``` ### Get file path type ```powershell $pathType = Get-NtFilePathType -Path "C:\Windows" ``` ### Get NT path for Win32 path ```powershell $ntPath = Get-NtFilePath -Path "C:\Windows" -Resolve # Returns: \Device\HarddiskVolume3\Windows ``` ``` -------------------------------- ### Manage NT Directories Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Open, create, and list contents of NT object manager directories. ```powershell # Open directory $dir = Get-NtDirectory -Path "\BaseNamedObjects" # Create new directory $newDir = New-NtDirectory -Path "\BaseNamedObjects\MyDir" # List directory contents $entries = Get-NtDirectoryChild -Directory $dir # Returns: Name, TypeName for each object # Browse object namespace (PowerShell provider) Import-Module NtObjectManager Get-ChildItem NtObject:\ Get-ChildItem NtObject:\BaseNamedObjects ``` -------------------------------- ### Query and Manage Windows Services Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for retrieving service configurations, security descriptors, and managing service states. ```powershell # Get all services $services = Get-Win32Service # Get specific service $svc = Get-Win32Service -Name "WebClient" # Get service configuration $config = Get-Win32ServiceConfig -Name "WebClient" # Get service security descriptor $sd = Get-Win32ServiceSecurityDescriptor -Name "WebClient" # Start service Start-Win32Service -Name "WebClient" # Wait for service state Wait-Win32Service -Name "WebClient" -State Running # Get service triggers $triggers = Get-Win32ServiceTrigger -Name "WebClient" ``` -------------------------------- ### Display and Format Token Information Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Tools for inspecting token details, launching the TokenViewer GUI, and copying tokens. ```powershell # Show current effective token info (like whoami) Show-NtTokenEffective # Show all token details Show-NtTokenEffective -All # Show basic info (user, groups, privileges, integrity) Show-NtTokenEffective -Basic # Show specific sections Show-NtTokenEffective -User -Group -Privilege # Format a specific token Format-NtToken -Token $token -All # Launch TokenViewer GUI Show-NtToken -ProcessId 1234 Show-NtToken -All # Show all accessible tokens Show-NtToken -ServiceName "AppInfo" # Show service token # Copy token $copy = Copy-NtToken -Token $token -ImpersonationLevel Impersonation $primary = Copy-NtToken -Primary # Get token from process using thread impersonation $token = Get-NtTokenFromProcess -ProcessId 1234 ``` -------------------------------- ### Get-NtProcessMitigations Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves security mitigation policies for processes including ASLR, CFG, and system call restrictions. ```APIDOC ## GET Get-NtProcessMitigations ### Description Retrieves security mitigation policies for processes including ASLR, CFG, and system call restrictions. ### Method PowerShell Cmdlet ### Parameters #### Query Parameters - **Name** (string) - Optional - Filter by process name - **ProcessId** (int[]) - Optional - Filter by specific PIDs ``` -------------------------------- ### Format-NtSecurityDescriptor and Show-NtSecurityDescriptor Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for formatting and displaying security descriptors in various formats, including SDDL and a GUI. ```APIDOC ## Format-NtSecurityDescriptor and Show-NtSecurityDescriptor ### Description Cmdlets for formatting and displaying security descriptors. ### Format object's security descriptor ```powershell Format-NtSecurityDescriptor -Object $obj ``` ### Format as SDDL ```powershell Format-NtSecurityDescriptor -Object $obj -AsSddl ``` ### Format from path ```powershell Format-NtSecurityDescriptor -Path "\BaseNamedObjects\MyEvent" ``` ### Show all security information ```powershell Format-NtSecurityDescriptor -Object $obj -ShowAll ``` ### Format with summary (less verbose) ```powershell Format-NtSecurityDescriptor -Object $obj -Summary ``` ### Format with SDK names ```powershell Format-NtSecurityDescriptor -Object $obj -SDKName ``` ### Show security descriptor in GUI ```powershell Show-NtSecurityDescriptor -Object $obj Show-NtSecurityDescriptor -SecurityDescriptor $sd -Type File ``` ``` -------------------------------- ### RPC Server Analysis Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for parsing RPC server interfaces from DLLs and processes. ```APIDOC ## RPC Server Analysis ### Get-RpcServer #### Description Parses RPC server interfaces from DLLs and processes. #### Parse RPC servers from DLL ```powershell $servers = Get-RpcServer -FullName "C:\Windows\System32\rpcss.dll" ``` #### Get RPC servers as formatted text ```powershell $text = Get-RpcServer -FullName "C:\Windows\System32\rpcss.dll" -AsText ``` #### Parse from all modules in a process ```powershell $servers = Get-RpcServer -ProcessId 1234 ``` ``` -------------------------------- ### Create and Retrieve Windows Tokens Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Commands for generating various types of tokens, including impersonation, AppContainer, filtered, and logon tokens. ```powershell $impToken = Get-NtToken -Duplicate -TokenType Impersonation -ImpersonationLevel Impersonation # Create lowbox (AppContainer) token $lowbox = Get-NtToken -LowBox -PackageSid "Application.Name" ` -CapabilitySid "internetClient", "privateNetworkClientServer" # Create filtered token (LUA token) $filtered = Get-NtToken -Filtered -Flags LuaToken # Create token with disabled SIDs $restricted = Get-NtToken -Filtered -SidsToDisable "WD", "BA" # Get anonymous token $anon = Get-NtToken -Anonymous # Logon and get token $logonToken = Get-NtToken -Logon -User "Bob" -Password "SecurePass123" ` -Domain "CONTOSO" -LogonType Interactive # S4U logon (no password required) $s4uToken = Get-NtToken -S4U -User "Bob" -Domain "CONTOSO" # Get session token $sessionToken = Get-NtToken -Session -SessionId 2 ``` -------------------------------- ### Format and Parse Binary Data Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Utilities for hex dumping, parsing hex strings, and calculating MD4 hashes. ```powershell # Format as hex dump $bytes | Format-HexDump # Parse hex string $bytes = ConvertFrom-HexDump -HexString "48 65 6C 6C 6F" # Get MD4 hash (used in NTLM) $hash = Get-MD4Hash -Data $bytes ``` -------------------------------- ### Create and Manage NT Objects Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_NtObjectManagerProvider.help.txt Create various NT object types using New-Item and ensure handles are closed after use. ```powershell $obj = New-Item NtObjectSession:\ABC -ItemType Directory # Do something with directory. # ... $obj.Close() ``` ```powershell $obj = New-Item NtObjectSession:\ABC -ItemType Link -Value \BaseNamedObjects # Do something # ... $obj.Close() ``` ```powershell $obj = New-Item NtObjectSession:\ABC -ItemType Event # Do something # ... $obj.Close() ``` ```powershell $obj = New-Item NtObjectSession:\ABC -ItemType Semaphore -Value 10 # Do something # ... $obj.Close() ``` ```powershell $obj = New-Item NtObjectSession:\ABC -ItemType Mutant # Do something # ... $obj.Close() ``` -------------------------------- ### Mount Custom PowerShell Drives Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_NtObjectManagerProvider.help.txt Create new PowerShell drives to map specific object manager paths, private namespaces, or registry keys. ```powershell New-PSDrive -PSProvider NtObjectManager -Name BNO -Root nt:BaseNamedObjects ``` ```powershell New-PSDrive -PSProvider NtObjectManager -Name PrivNS -Root ntpriv:WD:LW@ABC ``` ```powershell New-PSDrive -PSProvider NtObjectManager -Name MACHINEKEY -Root ntkey:MACHINE ``` -------------------------------- ### Create New Event with Nested Directories Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_ManagingNtObjectLifetime.help.txt Creates a new event with nested directories and ensures proper disposal of the created objects. Use -CreateDirectories to automatically create necessary parent directories. ```powershell $ev = New-NtEvent \BaseNamedObjects\ABC\XYZ\EventName -CreateDirectories try { # Print out created event $ev[0] | Format-List } finally { # Dispose objects $ev.Dispose() } ``` -------------------------------- ### Analyze RPC Servers Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Parse RPC server interfaces from DLLs or running processes. ```powershell # Parse RPC servers from DLL $servers = Get-RpcServer -FullName "C:\Windows\System32\rpcss.dll" # Get RPC servers as formatted text $text = Get-RpcServer -FullName "C:\Windows\System32\rpcss.dll" -AsText # Parse from all modules in a process $servers = Get-RpcServer -ProcessId 1234 ``` -------------------------------- ### Token Privilege Management Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for enabling, disabling, and managing privileges within a token. ```APIDOC ## Token Privilege Management ### Description This section covers cmdlets for managing token privileges, including enabling, disabling, and querying their states. ### Cmdlets - **Set-NtTokenPrivilege** - Enables or disables a specific privilege. - **Enable-NtTokenPrivilege** - Enables one or more privileges. - **Disable-NtTokenPrivilege** - Disables a specific privilege. - **Get-NtTokenPrivilege** - Retrieves a list of all privileges associated with a token, optionally filtering by name. - **Remove-NtTokenPrivilege** - Removes a privilege from a token entirely. - **Test-NtTokenPrivilege** - Checks if a specific privilege is currently held by the token. ### Examples ```powershell # Enable SeDebugPrivilege Set-NtTokenPrivilege -Privilege SeDebugPrivilege -Attribute Enabled # Enable multiple privileges Enable-NtTokenPrivilege -Privilege SeBackupPrivilege, SeRestorePrivilege # Disable a privilege Disable-NtTokenPrivilege -Privilege SeDebugPrivilege # Get all privileges $privs = Get-NtTokenPrivilege # Returns: SeDebugPrivilege (Enabled), SeBackupPrivilege (Disabled), etc. # Get specific privilege state $debug = Get-NtTokenPrivilege -Privilege SeDebugPrivilege # Remove privilege entirely (not just disable) Remove-NtTokenPrivilege -Privilege SeDebugPrivilege # Check if privilege is held $hasDebug = Test-NtTokenPrivilege -Privilege SeDebugPrivilege ``` ``` -------------------------------- ### NT Object Access Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for opening and accessing NT objects, including directories and files. ```APIDOC ## NT Object Access ### Get-NtObject #### Description Opens NT objects by path or from handles. #### Open object by path ```powershell $obj = Get-NtObject -Path "\BaseNamedObjects\MyEvent" ``` #### Open with root object ```powershell $root = Get-NtDirectory -Path "\BaseNamedObjects" $obj = Get-NtObject -Path "MyEvent" -Root $root ``` #### Open with specific type ```powershell $obj = Get-NtObject -Path "\Device\Null" -TypeName File ``` #### Open with specific access ```powershell $obj = Get-NtObject -Path "\BaseNamedObjects\MyMutex" -Access Synchronize ``` ### Get-NtDirectory #### Description Opens NT object manager directories. #### Open directory ```powershell $dir = Get-NtDirectory -Path "\BaseNamedObjects" ``` #### Create new directory ```powershell $newDir = New-NtDirectory -Path "\BaseNamedObjects\MyDir" ``` #### List directory contents ```powershell $entries = Get-NtDirectoryChild -Directory $dir # Returns: Name, TypeName for each object ``` #### Browse object namespace (PowerShell provider) ```powershell Import-Module NtObjectManager Get-ChildItem NtObject:\ Get-ChildItem NtObject:\BaseNamedObjects ``` ``` -------------------------------- ### Format Security Descriptors Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Display security descriptors in various formats including SDDL, SDK names, or GUI views. ```powershell # Format object's security descriptor Format-NtSecurityDescriptor -Object $obj # Format as SDDL Format-NtSecurityDescriptor -Object $obj -AsSddl # Format from path Format-NtSecurityDescriptor -Path "\BaseNamedObjects\MyEvent" # Show all security information Format-NtSecurityDescriptor -Object $obj -ShowAll # Format with summary (less verbose) Format-NtSecurityDescriptor -Object $obj -Summary # Format with SDK names Format-NtSecurityDescriptor -Object $obj -SDKName # Show security descriptor in GUI Show-NtSecurityDescriptor -Object $obj Show-NtSecurityDescriptor -SecurityDescriptor $sd -Type File ``` -------------------------------- ### Create Security Descriptors Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Methods for generating new security descriptors from SDDL strings or default types. ```powershell # Create from SDDL $sd = New-NtSecurityDescriptor -Sddl "O:SYG:SYD:(A;;GA;;;WD)" # Create empty security descriptor $sd = New-NtSecurityDescriptor # Create with specific NT type $sd = New-NtSecurityDescriptor -Type File ``` -------------------------------- ### Manage Token Privileges Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Methods for enabling, disabling, checking, and removing privileges associated with a token. ```powershell # Enable SeDebugPrivilege Set-NtTokenPrivilege -Privilege SeDebugPrivilege -Attribute Enabled # Enable multiple privileges Enable-NtTokenPrivilege -Privilege SeBackupPrivilege, SeRestorePrivilege # Disable a privilege Disable-NtTokenPrivilege -Privilege SeDebugPrivilege # Get all privileges $privs = Get-NtTokenPrivilege # Returns: SeDebugPrivilege (Enabled), SeBackupPrivilege (Disabled), etc. # Get specific privilege state $debug = Get-NtTokenPrivilege -Privilege SeDebugPrivilege # Remove privilege entirely (not just disable) Remove-NtTokenPrivilege -Privilege SeDebugPrivilege # Check if privilege is held $hasDebug = Test-NtTokenPrivilege -Privilege SeDebugPrivilege ``` -------------------------------- ### Perform File Operations Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Create, read, and manage files and named pipes within the NT namespace. ```powershell # Open file $file = Get-NtFile -Path "\??\C:\Windows\System32\kernel32.dll" # Create new file $file = New-NtFile -Path "\??\C:\Temp\test.txt" -Access GenericWrite ` -Disposition CreateAlways # Open named pipe $pipe = Get-NtNamedPipeFile -Path "\??\pipe\mypipe" # Create named pipe server $pipe = New-NtNamedPipeFile -Path "\??\pipe\mypipe" -MaxInstances 1 # Read file $data = Read-NtFile -File $file -Length 1024 # Write file Write-NtFile -File $file -Data $bytes # Get file path type $pathType = Get-NtFilePathType -Path "C:\Windows" # Get NT path for Win32 path $ntPath = Get-NtFilePath -Path "C:\Windows" -Resolve # Returns: \Device\HarddiskVolume3\Windows ``` -------------------------------- ### Security Descriptor Management Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for retrieving and creating security descriptors for various objects. ```APIDOC ## Security Descriptor Management ### Get-NtSecurityDescriptor Retrieves security descriptors from objects, paths, or memory. #### Parameters - **Object** (Object) - The object from which to retrieve the security descriptor. - **SecurityInformation** (SecurityInformation) - Specifies the type of security information to retrieve (e.g., Dacl, Owner, Group). - **AsSddl** (Switch) - Returns the security descriptor as an SDDL string. - **Path** (String) - The path to the object (e.g., registry key, file path, named pipe). - **TypeName** (String) - Specifies the type of object when retrieving from a path (e.g., File, Key). - **ProcessId** (Int32) - The process ID from which to retrieve the security descriptor. - **ThreadId** (Int32) - The thread ID from which to retrieve the security descriptor. - **NamedPipeDefault** (Switch) - Retrieves the default security descriptor for a named pipe. #### Examples ```powershell # Get security descriptor from an object $sd = Get-NtSecurityDescriptor -Object $fileObj # Get with specific security information $sd = Get-NtSecurityDescriptor -Object $obj -SecurityInformation Dacl, Owner, Group # Get as SDDL string $sddl = Get-NtSecurityDescriptor -Object $obj -AsSddl # Returns: "O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;SY)" # Get from path $sd = Get-NtSecurityDescriptor -Path "\BaseNamedObjects\MyMutex" # Get from file path (requires type hint) $sd = Get-NtSecurityDescriptor -Path "\??\C:\Windows" -TypeName File # Get from process ID $sd = Get-NtSecurityDescriptor -ProcessId 1234 # Get from thread ID $sd = Get-NtSecurityDescriptor -ThreadId 5678 # Get default named pipe security descriptor $npSd = Get-NtSecurityDescriptor -NamedPipeDefault ``` ### New-NtSecurityDescriptor Creates new security descriptors from SDDL or programmatically. #### Parameters - **Sddl** (String) - The SDDL string to create the security descriptor from. - **Type** (NtObjectType) - The NT object type for which the security descriptor is intended (e.g., File, Key). #### Examples ```powershell # Create from SDDL $sd = New-NtSecurityDescriptor -Sddl "O:SYG:SYD:(A;;GA;;;WD)" # Create empty security descriptor $sd = New-NtSecurityDescriptor # Create with specific NT type $sd = New-NtSecurityDescriptor -Type File ``` ``` -------------------------------- ### Get-NtToken Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Opens NT tokens from various sources including processes, threads, and logon sessions. ```APIDOC ## GET Get-NtToken ### Description Opens NT tokens from various sources including processes, threads, logon sessions, and creates filtered/lowbox tokens. ### Method PowerShell Cmdlet ### Parameters #### Query Parameters - **Primary** (switch) - Optional - Get primary token - **Pseudo** (switch) - Optional - Get pseudo token - **Impersonation** (switch) - Optional - Get impersonation token - **ProcessId** (int) - Optional - Get token from specific PID - **ThreadId** (int) - Optional - Get token from specific Thread ID ``` -------------------------------- ### Load the NtObjectManager module Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/README.txt Load the module into the current PowerShell session after disabling signing requirements. ```powershell Import-Module NtObjectManager ``` -------------------------------- ### Security Descriptor Creation and Modification Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Provides cmdlets for creating and modifying NT security descriptors, including setting owners, groups, DACLs, and integrity levels. ```APIDOC ## Security Descriptor Creation and Modification ### Description Cmdlets for creating and modifying NT security descriptors. ### Create from parent (inheritance) ```powershell $sd = New-NtSecurityDescriptor -Parent $parentSd -Creator $creatorSd -Type Directory -IsContainer ``` ### Create from base64 ```powershell $sd = New-NtSecurityDescriptor -Base64 "AQAUhBQAAAAgAAAA..." ``` ### Set owner ```powershell Set-NtSecurityDescriptorOwner -SecurityDescriptor $sd -Owner $sid ``` ### Set group ```powershell Set-NtSecurityDescriptorGroup -SecurityDescriptor $sd -Group $sid ``` ### Set integrity level ```powershell Set-NtSecurityDescriptorIntegrityLevel -SecurityDescriptor $sd -IntegrityLevel Medium -Policy NoWriteUp ``` ### Create and set DACL ```powershell $ace = New-NtSecurityDescriptorAce -Sid "WD" -Access "GenericAll" -Type Allowed Set-NtSecurityDescriptorDacl -SecurityDescriptor $sd -Ace $ace ``` ### Add ACE to existing DACL ```powershell Add-NtSecurityDescriptorAce -SecurityDescriptor $sd -Sid "BA" -Access "GenericRead" -Type Allowed ``` ### Remove ACE ```powershell Remove-NtSecurityDescriptorAce -SecurityDescriptor $sd -Sid "WD" ``` ### Clear DACL (but keep it present) ```powershell Clear-NtSecurityDescriptorDacl -SecurityDescriptor $sd ``` ### Remove DACL entirely ```powershell Remove-NtSecurityDescriptorDacl -SecurityDescriptor $sd ``` ### Copy security descriptor ```powershell $copy = Copy-NtSecurityDescriptor -SecurityDescriptor $sd ``` ### Edit with canonicalization ```powershell Edit-NtSecurityDescriptor -SecurityDescriptor $sd -CanonicalizeDacl ``` ### Map generic to specific access ```powershell Edit-NtSecurityDescriptor -SecurityDescriptor $sd -MapGeneric -Type File ``` ``` -------------------------------- ### Interact with Event Objects Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_NtObjectManagerProvider.help.txt Retrieve an event object, open a handle to it, trigger the event, and close the handle. ```powershell $event = Get-Item NtObjectSession:\Eventname $event_obj = $event.ToObject() $event_obj.Set() $event_obj.Close() ``` -------------------------------- ### Get-NtProcess Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Retrieves NT process objects from the system with support for filtering and information retrieval. ```APIDOC ## GET Get-NtProcess ### Description Retrieves NT process objects from the system. Can filter by process ID, name, command line, or custom script blocks. ### Method PowerShell Cmdlet ### Parameters #### Query Parameters - **ProcessId** (int) - Optional - Filter by process ID - **Name** (string) - Optional - Filter by process name - **ServiceName** (string) - Optional - Get process for a Windows service - **OpenParent** (switch) - Optional - Open parent process - **InfoOnly** (switch) - Optional - Retrieve info without opening a handle - **FilterScript** (scriptblock) - Optional - Custom filter logic ``` -------------------------------- ### Access Registry Keys Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Interact with NT registry keys, including listing children and managing values. ```powershell # Open registry key $key = Get-NtKey -Path "\Registry\Machine\Software" # Create new key $key = New-NtKey -Path "\Registry\Machine\Software\MyApp" # Get key values $values = Get-NtKeyValue -Key $key # Set key value Set-NtKeyValue -Key $key -Name "Setting" -Value "Hello" -Type String # Delete key value Remove-NtKeyValue -Key $key -Name "Setting" # List child keys $children = Get-NtKeyChild -Key $key ``` -------------------------------- ### Parse RPC Servers Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Use Get-RpcServer to parse RPC server information from a service, a DLL with symbol resolution, or include client interfaces. Serialize and deserialize server data for later use with Set-RpcServer and Get-RpcServer. ```powershell $servers = Get-RpcServer -ServiceName "RpcSs" ``` ```powershell $servers = Get-RpcServer -FullName "C:\\Windows\\System32\\lsasrv.dll" ` -DbgHelpPath "C:\\Debuggers\\dbghelp.dll" ` -SymbolPath "srv*C:\\Symbols*https://msdl.microsoft.com/download/symbols" ``` ```powershell $servers = Get-RpcServer -FullName $dll -ParseClients ``` ```powershell Set-RpcServer -Server $servers -Path "rpc_servers.bin" ``` ```powershell $servers = Get-RpcServer -SerializedPath "rpc_servers.bin" ``` ```powershell Format-RpcServer -RpcServer $servers ``` ```powershell Format-RpcServer -RpcServer $servers -RemoveComments -Format Idl ``` -------------------------------- ### Filter and Inspect Symbolic Links Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_NtObjectManagerProvider.help.txt Identify symbolic links in a directory and display their target paths. ```powershell Get-ChildItem NtObject:\Dir | Where-Object IsSymbolicLink -eq $True | Select-Object Name,SymbolicLinkTarget ``` -------------------------------- ### Registry Operations Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Cmdlets for accessing and manipulating NT registry keys and values. ```APIDOC ## Registry Operations ### Description Access NT registry keys. ### Open registry key ```powershell $key = Get-NtKey -Path "\Registry\Machine\Software" ``` ### Create new key ```powershell $key = New-NtKey -Path "\Registry\Machine\Software\MyApp" ``` ### Get key values ```powershell $values = Get-NtKeyValue -Key $key ``` ### Set key value ```powershell Set-NtKeyValue -Key $key -Name "Setting" -Value "Hello" -Type String ``` ### Delete key value ```powershell Remove-NtKeyValue -Key $key -Name "Setting" ``` ### List child keys ```powershell $children = Get-NtKeyChild -Key $key ``` ``` -------------------------------- ### List NT object manager namespace Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/README.txt Enumerate the contents of the NT object manager namespace using the Get-ChildItem cmdlet. ```powershell Get-ChildItem NtObject:\ ``` -------------------------------- ### Retrieve Security Descriptors Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Commands to fetch security descriptors from objects, paths, processes, or threads. ```powershell # Get security descriptor from an object $sd = Get-NtSecurityDescriptor -Object $fileObj # Get with specific security information $sd = Get-NtSecurityDescriptor -Object $obj -SecurityInformation Dacl, Owner, Group # Get as SDDL string $sddl = Get-NtSecurityDescriptor -Object $obj -AsSddl # Returns: "O:SYG:SYD:(A;;GA;;;BA)(A;;GA;;;SY)" # Get from path $sd = Get-NtSecurityDescriptor -Path "\BaseNamedObjects\MyMutex" # Get from file path (requires type hint) $sd = Get-NtSecurityDescriptor -Path "\??\C:\Windows" -TypeName File # Get from process ID $sd = Get-NtSecurityDescriptor -ProcessId 1234 # Get from thread ID $sd = Get-NtSecurityDescriptor -ThreadId 5678 # Get default named pipe security descriptor $npSd = Get-NtSecurityDescriptor -NamedPipeDefault ``` -------------------------------- ### Manage NT Object Lifecycles Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Ensures proper disposal of NT objects using a pattern similar to the C# using statement. ```powershell # Single object Use-NtObject($proc = Get-NtProcess -ProcessId 1234) { $proc.CommandLine } # Multiple objects Use-NtObject($proc = Get-NtProcess -Current) { Use-NtObject($token = Get-NtToken -Process $proc) { $token.User } } ``` -------------------------------- ### Manage Lifetime in Pipeline with -CloseRoot Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_ManagingNtObjectLifetime.help.txt Demonstrates using the -CloseRoot parameter to automatically close the root object after a new object is created in a pipeline. This is useful when the root object does not need to be maintained. ```powershell $software_key = Get-NtKey \Registry\Machine\Software | New-NtKey MyKey -CloseRoot ``` -------------------------------- ### Open NT Objects Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Access NT objects by path, root directory, type, or specific access rights. ```powershell # Open object by path $obj = Get-NtObject -Path "\BaseNamedObjects\MyEvent" # Open with root object $root = Get-NtDirectory -Path "\BaseNamedObjects" $obj = Get-NtObject -Path "MyEvent" -Root $root # Open with specific type $obj = Get-NtObject -Path "\Device\Null" -TypeName File # Open with specific access $obj = Get-NtObject -Path "\BaseNamedObjects\MyMutex" -Access Synchronize ``` -------------------------------- ### Create and Retrieve SID Objects Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Use Get-NtSid to create and retrieve SID objects from SDDL strings, well-known SIDs, names, service names, capability names, or package names. Test SID properties like integrity, capability, service, and domain. ```powershell $sid = Get-NtSid -Sddl "S-1-5-21-123-456-789-1001" ``` ```powershell $everyone = Get-NtSid -KnownSid World $admins = Get-NtSid -KnownSid BuiltinAdministrators $system = Get-NtSid -KnownSid LocalSystem ``` ```powershell $sid = Get-NtSid -Name "DOMAIN\Username" $sid = Get-NtSid -Name "Everyone" ``` ```powershell $serviceSid = Get-NtSid -ServiceName "WebClient" ``` ```powershell $capSid = Get-NtSid -CapabilityName "internetClient" ``` ```powershell $pkgSid = Get-NtSid -PackageName "Microsoft.WindowsCalculator_8wekyb3d8bbwe" ``` ```powershell $sid.Authority # Returns: 5 (NT Authority) $sid.SubAuthorities # Returns: [21, 123, 456, 789, 1001] $sid.Name # Returns: "DOMAIN\Username" ``` ```powershell Test-NtSid -Sid $sid -Integrity # Is integrity SID? Test-NtSid -Sid $sid -Capability # Is capability SID? Test-NtSid -Sid $sid -Service # Is service SID? Test-NtSid -Sid $sid -Domain # Is domain SID? ``` -------------------------------- ### Test if Process Can Be Opened Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Tests if a process can be opened with specific access rights without actually opening it. Useful for checking permissions before attempting an operation. ```powershell # Test if process can be opened $canOpen = Test-NtProcess -ProcessId 1234 -Access DupHandle ``` -------------------------------- ### Inspect Object Access Rights Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_NtObjectManagerProvider.help.txt Retrieve the maximum granted access for objects within a specific directory. ```powershell Get-ChildItem NtObject:\Dir | Select-Object Name,MaximumGrantedAccess ``` -------------------------------- ### Get-NtSid Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Creates and retrieves SID objects from various sources like SDDL, well-known names, or service names. ```APIDOC ## Get-NtSid ### Description Creates and retrieves SID objects. ### Parameters #### Query Parameters - **Sddl** (string) - Optional - SID in SDDL format. - **KnownSid** (string) - Optional - Well-known SID name. - **Name** (string) - Optional - Account name. - **ServiceName** (string) - Optional - Service name. - **CapabilityName** (string) - Optional - Capability name. - **PackageName** (string) - Optional - Package name. ``` -------------------------------- ### Set Mitigation Policy for Current Process Source: https://context7.com/googleprojectzero/sandbox-attacksurface-analysis-tools/llms.txt Sets a specific security mitigation policy for the current process. Use this to enforce security settings dynamically. ```powershell # Set mitigation policy (current process) Set-NtProcessMitigationPolicy -DynamicCode ProhibitDynamicCode Set-NtProcessMitigationPolicy -Signature MicrosoftSignedOnly ``` -------------------------------- ### Use Use-NtObject Without Polluting Namespace Source: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/en-US/about_ManagingNtObjectLifetime.help.txt Demonstrates using Use-NtObject with a script block that accepts the object as a parameter, avoiding the need to assign the object to a variable that pollutes the current scope. The input object is disposed of upon completion. ```powershell $pinfo = Use-NtObject (Get-NtProcess) { param($ps); $ps | select Name, CommandLine } ```