Access Token Manipulation

ID: T1134 Tactic: Defense Evasion, Privilege Escalation

Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For Example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.

Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.

Access tokens can be leveraged by adversaries through three methods;

Token Impersonation/Theft - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can than be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreatTokento assign the impersonated token a thread. This is useful for when the target user has a non-network logon session on the system.

Create Process with a Token - An adversary creates a new access token with DuplicateToken(Ex)and uses it with CreateProcessWithTokenWto create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

Make and Impersonate Token - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the LogonUserfunction. The function will return a copy of the new session's access token and the adversary can use SetThreadtTokento assign the token to a thread.

Any standard user can use the runascommand, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account.

Metasploit's Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create tokens.

In the following example let's use runas command to execute a cmd with a high-user privileges.

So we currently hold a "low-user" but we have the credentials for an administrator that can help us execute programs, services, etc. how can we use runas? well it's a simple command such as runas /user:User cmd after this a prompt for entering a password will show and we just fill in and press Enter

We can see on the upper Title Bar that we are running as User instead of low-user

In the following I will use Metasploit's Meterpreter payload and use the incognito extension to impersonate a token.

list_tokens -u

What we see here we have a token available for User we can call impersonate_token here and get User.

We can also try and steal the Token, if we find a process executed by another user, from we can use the steal_token option by stealing a token from a process owned by the targeted user.

We find a CMD process by the User and from here the token has been stolen and added onto our current meterpreter shell, what about injecting a process owned by another user? Simple we can use the Migrate option from meterpreter and have that process user's permission.

In the following references you may see also the Empire Framework being used to Steal, Impersonate and also Invoke-Runas to grab the same results, but using PowerShell Scripts.