Standalone tool to explore the security model of Windows and its NT kernel. Use it to introspect privilege assignments and access right assignments, enumerate attack surfaces from the point of view of a sandboxed process, etc.
ntsec.exe [options] <operations>
Operations are processed from commandline from left to right, or in --interactive mode.
Some operations might fail because you lack some privileges, in which case you will be prompted
to confirm an elevation operation, if one is deemed possible. To avoid hanging indefinitely in
case user interaction is impossible, use `-n`.
Supported object types: ALPC port, object directory, event, file (file, directory, named pipe),
minifilter port, job, keyed event, memory partition, mutant, process, registry key, section,
semaphore, service, session, object symbolic link, and thread.
At startup, the calling process is selected. To select a target:
--nt <nt_path> any NT object, by absolute NT path
--alpc <nt_path> ALPC connection port, by absolute NT path
--directory <nt_path> object directory, by absolute NT path
--event <nt_path> event object, by absolute NT path
-f --file <nt_path>|<win32_path> file or directory object, by NT or Win32 path
--fltport <nt_path> filter connection port object, by absolute NT path
--job <nt_path> job object, by absolute NT path
--keyedevent <nt_path> keyed event object, by absolute NT path
--partition <nt_path> memory partition object, by absolute NT path
--mutant <nt_path> mutant object, by absolute NT path
--namedpipe <nt_path>|<name> named pipe file, by absolute NT path or name
-p --process <pid>|<name>|current|caller process, by .exe name or id
-r --regkey <nt_path>|<win32_path> registry key, by NT or Win32 path
--section <nt_path> section object, by absolute NT path
--semaphore <nt_path> semaphore object, by absolute NT path
-s --service <name> Windows service, by short name
--session <nt_path> session object, by absolute NT path
--symlink <nt_path> symbolic link object, by absolute NT path
-t --thread <tid>|current thread, by id or 'current'
--timer <nt_path> timer object, by absolute NT path
Generic operations for all types:
--sddl [new_sddl] show (or replace) the security descriptor, as a SDDL string
--sd show the security descriptor, as full text
Operations on processes:
--open-token select the process' primary token
--list-mitigations display status of each process mitigation policy
--list-handles list all open handles, their target and permissions
--list-memmap list all memory mappings and their permissions
Operations on threads:
--open-token select the thread' impersonation token, if any
Operations on access tokens:
--list-sids lists all SIDs held and their attributes
--list-privs lists all privileges held and their status
--show-token display user, groups, integrity, privileges, etc.
-e --enable-priv <name> enable a disabled privilege (use * as wildcard)
-d --disable-priv <name> disable an enabled privilege (use * as wildcard)
--remove-priv <name> remove a privilege entirely (cannot be undone, use * as wildcard)
--assign <tid> set the given thread's impersonation token to be the selected token
--impersonate impersonate the selected token for operations that follow
(requires SeImpersonatePrivilege)
--stop-impersonating stop impersonating for operations that follow
-x --execute <cmd> create a process holding a copy of the selected token (requires an opened
process with PROCESS_CREATE_PROCESS rights, or SeAssignPrimaryTokenPrivilege)
Enumerate accessible objects (optionally on which we have a specific access right, or another criteria)
Takes privileges/open handles into account. Doesn't select objects, use while impersonating a token:
--processes-with [access_right]|[sid]|[privilege]
--threads-with [access_right]|[sid]|[privilege]
--regkeys-with [access_right]
--files-with [access_right]
--ntobjs-with [access_right]
--services-with [access_right]
--anything-with [access_right]
Options:
-i --interactive pop an interactive pseudo-shell
-y --yes don't prompt for consent, assume yes
-n --no don't prompt for consent, assume no
-v --verbose increase verbosity (can be repeated)
-h --help display this help text
-V --version display the current version
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent