Make and Impersonate Token

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

References:

Private Site

From Kekeo to Rubeus - harmj0yharmj0y

Tenable.adTenable®

Privilege Escalation Abusing TokensHackTricks

PreviousParent PID Spoofing NextCreate Process with Token

Last updated 3 years ago