T1134 Access Token Manipulation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Any standard user can use the
runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
||AppleSeed can gain system level privilege by passing
SeDebugPrivilege to the
||BlackCat has the ability modify access tokens.
||Blue Mockingbird has used JuicyPotato to abuse the
SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\SYSTEM.
||During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local
NT AUTHORITY\SYSTEM privilege escalation.
||Cuba has used
AdjustTokenPrivileges to elevate privileges.
||Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.
||Empire can use PowerSploit‘s
Invoke-TokenManipulation to manipulate access tokens.
||FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.
||Gelsemium can use token manipulation to bypass UAC on Windows7 systems.
||HermeticWiper can use
AdjustTokenPrivileges to grant itself privileges for debugging with
SeDebugPrivilege, creating backups with
SeBackupPrivilege, loading drivers with
SeLoadDriverPrivilege, and shutting down a local system with
||Hydraq creates a backdoor through which remote attackers can adjust token privileges.
||KillDisk has attempted to get the access token of a process by calling
OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with
||Mafalda can use
AdjustTokenPrivileges() to elevate privileges.
||MegaCortex can enable
SeDebugPrivilege and adjust token privileges.
||PoshC2 can use Invoke-TokenManipulation for manipulating tokens.
Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.
||Ryuk has attempted to adjust its token privileges to have the
||Sliver has the ability to manipulate user tokens on targeted Windows systems.
||SslMM contains a feature to manipulate process privileges and tokens.
||SUNSPOT modified its security token to grants itself debugging privileges by adding
||Privileged Account Management
||Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.
||User Account Management
||An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.