> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/t1134-access-token-manipulation/make-and-impersonate-token.md).

# Make and Impersonate Token

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

References:

{% embed url="<https://dinhngtu.wordpress.com/2017/11/13/using-kerberos-s4u2self-to-check-user-permissions-without-credentials/>" %}

{% embed url="<http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/>" %}

{% embed url="<https://www.alsid.com/crb_article/abusing-s4u2self/>" %}

{% embed url="<https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens>" %}
