Token Manipulation

<- Back to README

The win/token, win/impersonate, win/privilege, and privesc/uac packages provide Windows token manipulation: stealing tokens from other processes, thread impersonation, privilege escalation, and UAC bypass.

Architecture Overview

graph TD
    subgraph "win/token"
        STEAL["Steal(pid)"]
        STEALNAME["StealByName(name)"]
        STEALDUP["StealViaDuplicateHandle()"]
        OPEN["OpenProcessToken()"]
        INTERACTIVE["Interactive()"]
        PRIV["EnableAllPrivileges()"]
        TOKEN["*Token"]

        STEAL --> TOKEN
        STEALNAME --> STEAL
        STEALDUP --> TOKEN
        OPEN --> TOKEN
        INTERACTIVE --> TOKEN
        TOKEN --> PRIV
    end

    subgraph "win/impersonate"
        LOGON["LogonUserW()"]
        IMP["ImpersonateLoggedOnUser()"]
        THREAD["ImpersonateThread()"]
        THREAD --> LOGON --> IMP
    end

    subgraph "win/privilege"
        ISADMIN["IsAdmin()"]
        EXECAS["ExecAs()"]
        LOGONCREATE["CreateProcessWithLogon()"]
        RUNAS["ShellExecuteRunAs()"]
    end

    subgraph "privesc/uac"
        FOD["FODHelper()"]
        SLUI["SLUI()"]
        SILENT["SilentCleanup()"]
        EVT["EventVwr()"]
    end

    TOKEN -.->|"used by"| THREAD
    TOKEN -.->|"used by"| EXECAS

Where to start (novice path):

  1. win/tokenSteal(pid) / StealByName. Grab another process's token (typically winlogon's SYSTEM token) and impersonate. Foundation everything else builds on.
  2. win/impersonateLogonUser-based impersonation when you have plaintext creds (vs token theft).
  3. win/privilege — enable specific privileges in the current token (SeDebugPrivilege for LSASS access, SeBackupPrivilege for reg save).
  4. privesc/uac — UAC bypass methods (FODHelper, ComputerDefaults, sdclt, etc.) when you're Medium-IL and need High-IL.

Documentation

DocumentDescription
Token TheftSteal, StealByName, StealViaDuplicateHandle
Thread ImpersonationLogonUserW + ImpersonateLoggedOnUser
Privilege EscalationExecAs, CreateProcessWithLogon, UAC bypass

Quick decision tree

You want to…Use
…steal a primary token from another PIDtoken-theft.mdSteal(pid)
…steal a token by process nametoken-theft.mdStealByName(name)
…run code as domain\user with credentialsimpersonation.mdImpersonateThread
…run code as NT AUTHORITY\SYSTEMimpersonation.mdGetSystem (winlogon clone)
…run code as TrustedInstallerimpersonation.mdGetTrustedInstaller
…enable SeDebugPrivilege (or any SeXxx) on the current tokenprivilege-escalation.mdEnablePrivilege
…spawn a child process under alternate credentialsprivilege-escalation.mdExecAs(...)
…check if I'm admin / elevated right nowprivilege-escalation.mdIsAdmin()
…trigger a UAC consent prompt and elevateprivilege-escalation.mdShellExecuteRunAs

MITRE ATT&CK

TechniqueIDDescription
Access Token ManipulationT1134Token theft and manipulation
Token Impersonation/TheftT1134.001Thread impersonation
Abuse Elevation Control Mechanism: UAC BypassT1548.002FODHelper, SLUI, SilentCleanup, EventVwr

D3FEND Countermeasures

CountermeasureIDDescription
Token Authentication and Authorization NormalizationD3-TAANMonitor token manipulation
User Account ProfilingD3-UAPDetect privilege escalation

See also