From 1bd9d105aa8fffe3b7566c03f0dd25c19042a313 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 9 Jul 2025 20:06:48 +0200
Subject: [PATCH] tests(ps): Verify process token retrieval from OS

---
 pkg/ps/snapshotter_windows.go      |  8 +++++---
 pkg/ps/snapshotter_windows_test.go | 23 +++++++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/pkg/ps/snapshotter_windows.go b/pkg/ps/snapshotter_windows.go
index e2576efca..0656076c6 100644
--- a/pkg/ps/snapshotter_windows.go
+++ b/pkg/ps/snapshotter_windows.go
@@ -628,9 +628,11 @@ func (s *snapshotter) Find(pid uint32) (bool, *pstypes.PS) {
 	}
 
 	// get process token attributes
-	var token windows.Token
-	var tokenUser *windows.Tokenuser
-	var tokenMandatoryLabel *windows.Tokenmandatorylabel
+	var (
+		token               windows.Token
+		tokenUser           *windows.Tokenuser
+		tokenMandatoryLabel *windows.Tokenmandatorylabel
+	)
 
 	err = windows.OpenProcessToken(process, windows.TOKEN_QUERY, &token)
 	if err != nil {
diff --git a/pkg/ps/snapshotter_windows_test.go b/pkg/ps/snapshotter_windows_test.go
index 0a767fd7e..ca4176969 100644
--- a/pkg/ps/snapshotter_windows_test.go
+++ b/pkg/ps/snapshotter_windows_test.go
@@ -295,6 +295,29 @@ func TestWriteInternalEventsEnrichment(t *testing.T) {
 				assert.Equal(t, uint32(1), proc.SessionID)
 			},
 		},
+		{"consult process token integrity level from OS",
+			[]*event.Event{
+				{
+					Type: event.CreateProcess,
+					Params: event.Params{
+						params.ProcessID:       {Name: params.ProcessID, Type: params.PID, Value: uint32(os.Getpid())},
+						params.ProcessParentID: {Name: params.ProcessParentID, Type: params.PID, Value: uint32(444)},
+						params.Exe:             {Name: params.Exe, Type: params.UnicodeString, Value: `svchost.exe`},
+						params.Cmdline:         {Name: params.Cmdline, Type: params.UnicodeString, Value: `svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService`},
+						params.UserSID:         {Name: params.UserSID, Type: params.WbemSID, Value: []byte{224, 8, 226, 31, 15, 167, 255, 255, 0, 0, 0, 0, 15, 167, 255, 255, 1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}},
+						params.SessionID:       {Name: params.SessionID, Type: params.Uint32, Value: uint32(1)},
+						params.ProcessFlags:    {Name: params.ProcessFlags, Type: params.Flags, Value: uint32(0x00000010)},
+					},
+				},
+			},
+			NewSnapshotter(hsnap, &config.Config{}),
+			func(t *testing.T, psnap Snapshotter) {
+				ok, proc := psnap.Find(uint32(os.Getpid()))
+				assert.True(t, ok)
+				assert.Equal(t, "HIGH", proc.TokenIntegrityLevel)
+				assert.Equal(t, true, proc.IsTokenElevated)
+			},
+		},
 	}
 
 	for _, tt := range tests {