Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions docs/_docs/user-guide/eldritch.md
Original file line number Diff line number Diff line change
Expand Up @@ -1628,6 +1628,56 @@ sys.shell("ls /nofile")
}
```

### sys.tokens

`sys.tokens(pid: Option<int>) -> List<Dict>`

The **sys.tokens** method lists tokens. With no arguments, returns all tokens in the global store. With a PID, returns the process token info including user and privileges.

**Stored tokens** (no args): Each dict has `active` (bool), `id` (int), `source` (str).

**Process tokens** (with pid): Each dict has `user` (str, e.g. `"CORP\\admin"`), `pid` (int), `privileges` (list of `"PrivilegeName=enabled|disabled"`).

```python
$> sys.tokens()

| active | id | source |
| ------ | -- | ------------------- |
| True | 1 | impersonate:pid:700 |

$> pprint(sys.tokens(pid=700))

[
{
"pid": 700,
"privileges": [
"SeAssignPrimaryTokenPrivilege=disabled",
"SeIncreaseQuotaPrivilege=disabled",
"SeTcbPrivilege=enabled",
"SeSecurityPrivilege=disabled",
"SeTakeOwnershipPrivilege=disabled",
"SeLoadDriverPrivilege=disabled",
"SeProfileSingleProcessPrivilege=enabled",
"SeIncreaseBasePriorityPrivilege=enabled",
"SeCreatePermanentPrivilege=enabled",
"SeBackupPrivilege=disabled",
"SeRestorePrivilege=disabled",
"SeShutdownPrivilege=disabled",
"SeDebugPrivilege=enabled",
"SeAuditPrivilege=enabled",
"SeSystemEnvironmentPrivilege=disabled",
"SeChangeNotifyPrivilege=enabled",
"SeUndockPrivilege=disabled",
"SeManageVolumePrivilege=disabled",
"SeImpersonatePrivilege=enabled",
"SeCreateGlobalPrivilege=enabled",
"SeTrustedCredManAccessPrivilege=disabled"
],
"user": "NT AUTHORITY\\SYSTEM"
}
]
```

### sys.write_reg

`sys.write_reg(path: str, regname: str, regtype: str, regvalue: any) -> Bool`
Expand Down
11 changes: 11 additions & 0 deletions implants/lib/eldritch/stdlib/eldritch-libsys/src/fake.rs
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,17 @@ impl SysLibrary for SysLibraryFake {
Ok(map)
}

fn tokens(&self, _pid: Option<i64>) -> Result<Vec<BTreeMap<String, Value>>, String> {
let mut entry = BTreeMap::new();
entry.insert("id".into(), Value::Int(1));
entry.insert(
"source".into(),
Value::String("impersonate:explorer.exe".into()),
);
entry.insert("active".into(), Value::Bool(true));
Ok(vec![entry])
}

fn write_reg(
&self,
_path: String,
Expand Down
14 changes: 14 additions & 0 deletions implants/lib/eldritch/stdlib/eldritch-libsys/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,20 @@ pub trait SysLibrary {
/// - `Dict`: Output containing `stdout`, `stderr`, and `status`.
fn shell(&self, cmd: String) -> Result<BTreeMap<String, Value>, String>;

#[eldritch_method]
/// Lists tokens in the global store, or enumerates a process token.
///
/// With no arguments, returns all stored tokens from global token store calls.
/// With a PID, returns the process token info including user and privileges.
///
/// **Parameters**
/// - `pid` (`Option<int>`): Process ID to query, or None for stored tokens.
///
/// **Returns**
/// - `List<Dict>`: Token info. Stored: `{active, id, source}`.
/// Process: `{user, pid, privileges}`.
fn tokens(&self, pid: Option<i64>) -> Result<Vec<BTreeMap<String, Value>>, String>;

#[eldritch_method]
/// Writes a value to the Windows Registry.
///
Expand Down
5 changes: 5 additions & 0 deletions implants/lib/eldritch/stdlib/eldritch-libsys/src/std.rs
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ mod is_windows_impl;
mod list_users_impl;
mod reg_utils;
mod shell_impl;
pub mod tokens_impl;
mod write_reg_impl;

#[derive(Debug)]
Expand Down Expand Up @@ -108,6 +109,10 @@ impl SysLibrary for StdSysLibrary {
shell_impl::shell(cmd).map_err(|e| e.to_string())
}

fn tokens(&self, pid: Option<i64>) -> Result<Vec<BTreeMap<String, Value>>, String> {
tokens_impl::tokens(pid)
}

fn write_reg(
&self,
path: String,
Expand Down
Loading
Loading