Make and Impersonate Token

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
References:
Private Site
From Kekeo to Rubeus - harmj0y
harmj0y
Tenable.ad
Tenable®
Privilege Escalation Abusing Tokens
HackTricks

Parent PID Spoofing

Create Process with Token

Last modified 2yr ago