šŸ““
Red Team Notes 2.0
  • Introduction
  • Red Team
  • Red Team Techniques
    • Initial Access
      • T1659: Content Injection
      • T1190: Exploit Public-Facing Applications
        • Rejetto HTTP File Server (HFS) 2.3
      • T1133: External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1566: Phishing
        • Phishing: Spearphishing via Service
        • Phishing: Spearphishing Link
          • Links: Social Engineering Toolkit
          • Links: Binaries
          • Links: HTA Files
        • Phishing: Spearphishing Attachment
          • Attachments: LNK Files
          • Attachments: SCR Files
          • Attachments: Dynamic Data Exchange
          • Attachments: Macros
          • Attachments: Macros - Linux
          • Attachments: Scripting Files
          • Attachments: Desktop Files
      • T1195: Supply Chain Compromise
        • Compromise Hardware Supply Chain
        • Compromise Software Supply Chain
        • Compromise Software Dependencies and Development Tools
      • T1078: Valid Accounts
        • Local Accounts
        • Domain Accounts
        • Default Accounts
      • T1199: Trusted Relationship
    • Execution
      • T1047:Windows Management Instrumentation
      • T1204: User Execution
        • Malicious File
        • Malicious Link
      • T1569: Service Execution
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
      • T1106: Native API
      • T1559: Inter-Process Communication
        • Dynamic Data Exchange
        • Component Object Model
      • T1203: Exploitation for Client Execution
        • Common Third-Party Applications
        • Office Applications
      • T1059: Command and Scripting Interpreter
        • Network Device CLI
        • JavaScript/JScript
        • Python
        • Visual Basic
        • Unix Shell
        • Windows Command Shell
        • PowerShell
        • AutoHotKey & AutoIT
        • Deploy Container
        • Native API - Linux
    • Persistence
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
        • Dynamic Linker Hijacking
      • T1133:External Remote Services
        • SMB/Windows Admin Shares
        • RDP Service
      • T1546:Event Triggered Execution
        • Component Object Model Hijacking
        • PowerShell Profile
        • Application Shimming
        • Accessibility Features
        • Netsh Helper DLL
        • Screensaver
        • Default File Association
        • Unix Shell Configuration Modification
        • Trap
        • Installer Packages
      • T1543:Create or Modify System Process
        • Windows Services
        • Systemd Service
      • T1136: Create Account
        • Domain Account
        • Local Account
      • T1554:Compromise Client Software Binary
      • T1547:Boot or Logon AutoStart Execution
        • Shortcut Modification
        • Winlogon Helper DLL
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1037: Boot or Logon Initialization Scripts
        • RC Scripts
      • T1197: BITS Jobs
      • T1053: Scheduled Tasks/Job
        • Shared Modules
        • Scheduled Task
        • At (Windows)
        • Cron
        • Systemd Timers
      • T1098: Account Manipulation
        • SSH Authorized Keys
      • T1556: Modify Authentication Process
        • Pluggable Authentication Modules
      • T1653: Power Settingss
      • T1505: Server Software Component
        • WebShell
    • Privilege Escalation
      • T1546:Event Triggered Execution
        • PowerShell Profile
        • Component Object Model Hijacking
        • Application Shimming
        • Accessibility Features
        • Screensaver
        • Default File Association
      • T1574: Hijack Execution Flow
        • Service File permissions Weakness
        • Path Interception by Unquoted Path
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1543:Create or Modify System Process
        • Windows Services
      • T1547:Boot or Logon AutoStart Execution
        • Winlogon Helper DLL
        • Shortcut Modification
        • Time Providers
        • Registry Run Keys / Startup Folder
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
        • Setuid and Setgid
        • Sudo and Sudo Caching
      • T1611: Escape to Host
    • Defense Evasion
      • T1497: Virtualization/Sandbox Evasion
        • Time Based Evasion
        • User Activity Based Checks
        • System Checks
      • T1550: Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
      • T1127: Trusted Developer Utilities Proxy Execution
        • MSBuild
      • T1221: Template Injection
      • T1553: Subvert Trust Controls
        • SIP and Trust Provider Hijacking
        • Code Signing
      • T1216: Signed Script Proxy Execution
      • T1218: Signed Binary Proxy Execution
        • Compiled HTML File
        • Control Panel
        • CMSTP
        • InstallUtil
        • MSHTA
        • MSIEXEC
        • ODBCCONF
        • Regsvcs/Regasm
        • Regsvr32
        • Rundll32
        • Verclsid
      • T1055: Process Injection
        • Dynamic-Link Library Injection
        • Portable Execution Injection
        • Thread Execution Hijacking
        • Asynchronous Procedure Call
        • Thread Local Storage
        • Extra Window Memory Injection
        • Process Hollowing
        • Process Doppelganging
      • T0127: Obfuscated Files or Information
        • Binary Padding
        • Software Packing
        • Steganography
        • Compile After Delivery
        • Indicator Removal from Tools
      • T1036: Masquerading
        • Invalid Code Signature
        • Right-to-Left-Override
        • Rename System Utilities
        • Masquerade Task or Service
        • Match Legitimate Name or location
      • T1202: Indirect Command Execution
      • T1562: Impair Defenses
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Disable or Modify System Firewall
        • Indicator Blocking
      • T1070: Indicator Removal on Host
        • Clear Windows Event Logs
        • Clear Command History
        • File Deletion
        • Network Share Connection Removal
        • TimeStomping
      • T1574: Hijack Execution Flow
        • Path Interception by Unquoted Path
        • Service File permissions Weakness
        • Path Interception by Search Order Hijacking
        • Path Interception by PATH Environment Variable
        • Executable Installer File Permissions Weakness
        • DLL Side-Loading
        • DLL Search Order Hijacking
      • T1564: Hide Artifacts
        • VBA Stomping
        • Run Virtual Instance
        • NTFS File Attributes
        • Hidden Window
        • Hidden Files and Directories
      • T1222: File Directory Permissions Modification
        • Windows File and Directory Permissions Modification
      • T1480: Execution Guardrails
        • Environmental Keyring
      • T1197: BITS Jobs
      • T1134: Access Token Manipulation
        • Parent PID Spoofing
        • Make and Impersonate Token
        • Create Process with Token
        • Token Impersonation/Theft
      • T1548: Abuse Elevation Control Mechanism
        • Bypass User Account Control
      • De-obfuscate/Decode Files or Information
    • Credential Access
      • T1552: Unsecured Credentials
        • Group Policy Preferences
        • Private Keys
        • Credentials in Registry
        • Credentials in Files
      • T1558: Steal or Forge Kerberos Tickets
        • AS-REP Roasting
        • Kerberoasting
        • Silver Ticket
        • Golden Ticket
      • T1003: OS Credential Dumping
        • DCSync
        • Cached Domain Credentials
        • LSA Secrets
        • NTDS
        • Security Account Manager
        • LSASS Memory
      • T1040: Network Sniffing
      • T1556: Modify Authentication Process
        • Password Filter DLL
        • Domain Controller Authentication
      • T1557: Man-in-the-Middle
        • Arp Cache Poisoning
        • LLMNR/NBT-NS Poisoning and SMB Relay
      • T1056: Input Capture
        • Web Portal Capture
        • GUI Input Capture
        • Keylogging
      • T1187: Forced Authentication
      • T1555: Credentials from Password Stores
        • Credentials from Web Browsers
      • T1110: Brute Force
        • Credential Stuffing
        • Password Spraying
        • Password Cracking
        • Password Guessing
    • Discovery
      • T1124: System Time Discovery
      • T1007: System Service Disvcovery
      • T1033: System Owner/User Directory
      • T1049: System Network Connections Discovery
      • T1016: System Network Configuration Discovery
      • T1082: System Information Discovery
      • T1518: Software Discovery
        • Security Software Discovery
      • T1018: Remote System Discovery
      • T1012: Query Registry
      • T1057: Process Discovery
      • T1069: Permissions Groups Discovery
        • Local Groups
        • Domain Groups
      • T1120: Peripheral Device Discovery
      • T1201: Password Policy Discovery
      • T1040: Network Sniffing
      • T1135: Network Share Discovery
      • T1046: Network Servie Scanning
      • T1083: File and Directory Discovery
      • T1486: Domain Trust Discovery
      • T1217: Browser Bookmark Discovery
      • T1010: Application Window Discovery
      • T1087: Account Discovery
        • Domain Account
        • Local Account
    • Lateral Movement
      • T1080: Taint Shared Content
      • T1072: Software Deployment Tools
      • T1021: Remote Services
        • Windows Remote Management
        • VNC
        • Distributed Component Object Model
        • SMB/Windows Admin Shares
        • Remote Desktop Protocol
      • T1563: Remote Service Session Hijacking
        • RDP Hijacking
      • T1570: Lateral Tool Transfer
      • T1534: Internal Spearphishing
      • T1210: Exploitation of Remote Services
      • T1550 Use Alternate Authentication Material
        • Pass the Ticket
        • Pass the Hash
  • Active Directory
    • Active Directory
      • Lightweight Directory Access Protocol
      • Kerberos
      • Forest, Tress and Domains
    • Active Directory Attacks
      • Kerberoasting
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Golden Tickets
      • Silver Tickets
      • Skeleton Keys
      • Active Directory Certificate Services
      • NTLMRelay
      • AS-REP Roasting
  • Red Team Infrastructure
    • RED TEAM INFRASTRUCTURE
    • Domain Name and Categorization
    • Reconnaissance
      • Passive
      • Active
    • Weaponization
      • Macros
      • HTA
      • ZIP
      • ISO
    • Delivery
      • Gophish
      • EvilGinx
      • PwnDrop
  • Situational Awareness
    • Covenant and C#
    • Empire and PowerShell
  • Credential Dumping
    • Mimikatz
    • Lsass Dumping
    • SharpChromium
  • Persistence
    • Userland Persistence
    • Elevated Persistence
  • Defense Evasion
    • Disable or Modify Tools
    • Obfuscating Files
  • Privilege Escalation
    • PowerUp
    • PrivescCheck
  • Lateral Movement
    • RDP
    • PowerShell Remoting
  • Files
    • Red Team Guide
Powered by GitBook
On this page

Was this helpful?

  1. Red Team Techniques
  2. Privilege Escalation
  3. T1134: Access Token Manipulation

Make and Impersonate Token

PreviousParent PID SpoofingNextCreate Process with Token

Last updated 4 years ago

Was this helpful?

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

References:

Private Site
From Kekeo to Rubeus - harmj0yharmj0y
LogoTenable.adTenableĀ®
LogoPrivilege Escalation Abusing TokensHackTricks