📓
📓
📓
📓
Red Team Notes 2.0
Search…
⌃K
📓
📓
📓
📓
Red Team Notes 2.0
Search…
⌃K
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
T1546:Event Triggered Execution
T1574: Hijack Execution Flow
T1543:Create or Modify System Process
T1547:Boot or Logon AutoStart Execution
T1134: Access Token Manipulation
Parent PID Spoofing
Make and Impersonate Token
Create Process with Token
Token Impersonation/Theft
T1548: Abuse Elevation Control Mechanism
Defense Evasion
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook

Make and Impersonate Token

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
References:
Private Site
From Kekeo to Rubeus - harmj0y
harmj0y
Tenable.ad
Tenable®
Privilege Escalation Abusing Tokens
HackTricks
Previous
Parent PID Spoofing
Next
Create Process with Token
Last modified 2yr ago
Copy link