5. “An access token is an object
that describes the security
context of a process or
thread. The information in a
token includes the identity
and privileges of the user
account associated with the
process or thread.
5 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
6. SECURITY PRINCIPALS
- Security principals are any entity that can be
authenticated by the OS
- User accounts
- Computer accounts
- Security groups
- Processes/threads
- Basis of controlling access to securable objects in
Windows
- Represented in the OS by a unique security identifier
(SID)
6 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
7. WINDOWS AUTHENTICATION
- User authenticates with credentials
- Logon session is created
- Windows returns user SID and group SIDs
- Local Security Authority (LSA) creates an access
token
- Successful authentication with credentials -> Logon
session -> Token -> Process/Thread
- Credentials may be stored in memory based on
logon type
7 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
8. WINDOWS LOGON SCENARIOS
- Interactive logon (credentials in lsass.exe)
- Console login (type 2)
- RDP (type 10)
- PsExec (type 2)
- Network logon (credentials are not in memory)
- WMI (type 3)
- WinRM (type 3)
- Smart card logon
- Biometric logon
8 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
9. WHAT IS AN ACCESS TOKEN?
- Kernel object that describes the security context of a
process/thread
- Contain the following information:
- User account security identifier (SID)
- Group SIDs
- Logon SID
- Owner SID
- List of privileges held by user/group
- Token integrity level
- Token type (primary/impersonation)
9 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
10. PURPOSE OF AN ACCESS TOKEN?
- Every process created by the user will receive a copy of
the access token
- When a thread attempts to access a securable object or
perform a task that requires privilege, Windows checks
the access token
- By default, a thread will use the primary token of a
process
10 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
11. ACCESS TOKENS IN ACTION
- Example: User opens PowerShell.exe and runs
Get-Content C:test.txt
- PowerShell.exe receives a copy of the user’s access token
- Thread running Get-Content uses PowerShell.exe’s
primary access token by default
- Files are a securable object in Windows!
- OS compares access token to discretionary access
control list (DACL) on C:test.txt
- If user has permission to read the file, access is
granted
11 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
12. SUMMARY
- When a user successfully authenticates an access token
is created
- Every process created by the user will receive a copy
of the access token
- Windows checks the access token when a thread
attempts to access a securable object or perform a task
that requires privilege
- Attackers care about access tokens resulting from
interactive logons
12
16. 1 – OPENPROCESS
- Specify a process ID (PID)
- Request with one of the permissions:
- PROCESS_ALL_ACCESS
- PROCESS_QUERY_INFORMATION
- PROCESS_QUERY_LIMITED_INFORMATION
- Returns a process handle
- Allows us to interact with the process object
16 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
18. 2 – OPENPROCESSTOKEN
- Pass in process handle from OpenProcess
- Permissions needed for ImpersonateLoggedOnUser:
- TOKEN_QUERY
- TOKEN_DUPLICATE
- Permissions needed for DuplicateTokenEx:
- TOKEN_DUPLICATE
- Returns a token handle
- Allows us to interact with the token object
18 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
20. 3A – IMPERSONATELOGGEDONUSER
- Pass in token handle from OpenProcessToken
- Current thread will impersonate user specified by
access token
- Effectively “become” that user
- Interact with OS using impersonated
permissions :)
- RevertToSelf reverts impersonated permissions
20 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
24. 4 – CREATEPROCESSWITHTOKENW
- Pass in token handle from DuplicateTokenEx
- Takes path to executable, command line
arguments, logon type, STARTUPINFO structure
- Creates process with stolen access token!
24 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
25. PUTTING IT ALL TOGETHER
25 https://github.com/slyd0g/PrimaryTokenTheft
26. ATTACKER USE CASE
- Impersonate another user with running
processes from interactive logon
- Lateral movement
- Domain escalation
- Spawn processes as another user
- Impersonate SYSTEM
- Get all the privileges
26
32. METHODOLOGY (CONT.)
1. Ask a question
- Do other processes like winlogon.exe exist?
2. Perform an experiment
- Bruteforce list of SYSTEM processes
3. Create a conclusion
- ???
32
36. CREATE A CONCLUSION
- Other SYSTEM processes can also have their
access token stolen!
- lsass.exe
- OfficeClickToRun.exe
- dllhost.exe
- unsecapp.exe
- Why does this work?
36
��
37. REPEAT
1. Ask a question
- What security settings cause this behavior?
2. Perform an experiment
- Compare winlogon.exe to “known good”
processes
3. Create a conclusion
- ???
37
48. UserName vs OwnerName
- TOKEN_USER identifies the user associated
with the access token
- TOKEN_OWNER identifies the user who is
owner of any process created with the access
token
- This was the key distinction we were looking
for!
48
51. REPEAT
1. Ask a question
- What security settings cause this behavior?
2. Perform an experiment
- Look for a common property in the
‘problematic’ processes
3. Create a conclusion
- ???
51
62. THANK YOU
- Big thanks to my coworkers Matt Graeber and Jared Atkinson for
helping me dig into these topics as well as pushing me to look
into some detections (which I unfortunately didn’t have time to
cover here)
- Thanks to Brian Reitz for the awesome THPS2 photoshop :D
- Thank you HushCon.
- Thank you for coming and listening!
62