PRIMARY PROCESS TOKEN BEFORE ATTACK This is a unrestricted token Token type: primary Token ID: 0x6f57ef Authentication ID: 0x6e4ad9 Token's owner: MCONOVUSI1\Guest (user) Token's source: User32 (0x6e4ad5) Token's user: MCONOVUSI1\Guest (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\Guest (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (2 total): SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = [enabled] Before: running as Guest PRIMARY PROCESS TOKEN AFTER ATTACK This is a unrestricted token Token type: primary Token ID: 0x6f57ef Authentication ID: 0x6e4ad9 Token's owner: MCONOVUSI1\Guest (user) Token's source: User32 (0x6e4ad5) Token's user: MCONOVUSI1\Guest (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\Guest (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (2 total): SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = [enabled] Enabling SeAssignPrimaryTokenPrivilege (if present) Enabling SeIncreaseQuotaPrivilege (if present) Enabling SeCreateTokenPrivilege (if present) Enabling SeDebugPrivilege (if present) Enabling SeMachineAccountPrivilege (if present) Enabling SeSecurityPrivilege (if present) Enabling SeTakeOwnershipPrivilege (if present) Enabling SeTcbPrivilege (if present) After: running as SYSTEM IMPERSONATION THREAD TOKEN BEFORE PRIVILEGES This is a unrestricted token Token type: impersonation Impersonation level: impersonation Token ID: 0x6f596a Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (21 total): SeTcbPrivilege (0x7) = [enabled by default] SeCreateTokenPrivilege (0x2) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeAssignPrimaryTokenPrivilege (0x3) = [enabled] SeIncreaseQuotaPrivilege (0x5) = [enabled] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeSystemEnvironmentPrivilege (0x16) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] SeBackupPrivilege (0x11) = [enabled] SeRestorePrivilege (0x12) = [enabled] SeShutdownPrivilege (0x13) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeUndockPrivilege (0x19) = [enabled] IMPERSONATION THREAD TOKEN AFTER PRIVILEGES This is a unrestricted token Token type: impersonation Impersonation level: impersonation Token ID: 0x6f596a Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (21 total): SeTcbPrivilege (0x7) = [enabled by default] SeCreateTokenPrivilege (0x2) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeAssignPrimaryTokenPrivilege (0x3) = [enabled] SeIncreaseQuotaPrivilege (0x5) = [enabled] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeSystemEnvironmentPrivilege (0x16) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] SeBackupPrivilege (0x11) = [enabled] SeRestorePrivilege (0x12) = [enabled] SeShutdownPrivilege (0x13) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeUndockPrivilege (0x19) = [enabled] PRIMARY THREAD TOKEN AFTER ATTTACK This is a unrestricted token Token type: primary Token ID: 0x6f5bbf Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (21 total): SeTcbPrivilege (0x7) = [enabled by default] SeCreateTokenPrivilege (0x2) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeAssignPrimaryTokenPrivilege (0x3) = [enabled] SeIncreaseQuotaPrivilege (0x5) = [enabled] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeSystemEnvironmentPrivilege (0x16) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] SeBackupPrivilege (0x11) = [enabled] SeRestorePrivilege (0x12) = [enabled] SeShutdownPrivilege (0x13) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeUndockPrivilege (0x19) = [enabled] PRIMARY PROCES TOKEN AFTER ADJUSTING PRIVILEGES This is a unrestricted token Token type: primary Token ID: 0x6f57ef Authentication ID: 0x6e4ad9 Token's owner: MCONOVUSI1\Guest (user) Token's source: User32 (0x6e4ad5) Token's user: MCONOVUSI1\Guest (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\Guest (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (2 total): SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = [enabled]