BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Handles & Tokens

getsids

Walks Process SIDs

Usage

Token privilege abuse
Unexpected SYSTEM token

Commands

# List SIDs for processes (Vol2)  
vol.py -f <mem> --profile=<profile> getsids -p <PID>  
  
# List SIDs for processes (Vol3)  
python3 vol.py -f <mem> windows.getsids --pid <PID>