Token Impersonation
https://attack.mitre.org/techniques/T1134/001/
Last updated
https://attack.mitre.org/techniques/T1134/001/
Last updated
ATT&CK ID: T1134.001
Permissions Required: Administrator | SYSTEM | User
Description
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
[Source]
Load into memory
In this scenario we will be using Metasploit. This scenario assumes we already have gained shell access on the target system as the user 'Bart.Simpson'.
In Metasploit we can load the incognito module with the command load incognito. This will load the modules required to impersonate another users token. Once loaded we can use the help command to show if the module has loaded and what options are available to us.
We can then list the available tokens for users with the list_tokens -u command.
In the example below we will attempt to load the 'NT AUTHORITY\SYSTEM' token. with the command:
Tokens will persist until a machine has been rebooted. Below I have rebooted the target machine and logged in as the user 'Lisa.Simpson'. I then exploited the machine and viewed available tokens. As we can see we have less available to us now that the machine has been rebooted.
The meterpreter command Rev2self can be used to revert to the original user token.
Are generally created when a user logs on interactively to the target system. Delegation tokens can be used elsewhere on the network.
Impersonation tokens run in an alternative security context to the process that started it. These tokens are generally not used elsewhere on the network.
Due to the fact that tokens persist until reboot. Servers and File Servers are a potential treasure troves for tokens.
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.
Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
Analysis of Access Token Theft and Manipulation: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-access-token-theft-manipulation-attacks.pdf
