⚙️ A Few Ways to Get TrustedInstaller Privileges
GetTrustedInstaller
Make an executable run with TrustedInstaller permissions under SYSTEM account.
https://github.com/rara64/GetTrustedInstaller
NtObjectManager
This module adds a provider and cmdlets to access the NT object manager namespace.
Example. Apply TrustedInstaller impersonation token to the current PowerShell process:
#localsystem #trustedinstaller
GetTrustedInstaller
Make an executable run with TrustedInstaller permissions under SYSTEM account.
https://github.com/rara64/GetTrustedInstaller
NtObjectManager
This module adds a provider and cmdlets to access the NT object manager namespace.
Example. Apply TrustedInstaller impersonation token to the current PowerShell process:
Install-Module -Name NtObjectManager -Confirm:$falsehttps://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager
Restart-Service TrustedInstaller
$procId = (Get-Process TrustedInstaller).Id
$token = Get-NtTokenFromProcess -ProcessId $procId
$current = Get-NtThread -Current -PseudoHandle
$ctx = $current.Impersonate($token)
$impToken = Get-NtToken -Impersonation
$impToken.Groups
#localsystem #trustedinstaller
👍9