Token Manipulation
The win/token, win/impersonate, win/privilege, and privesc/uac packages provide Windows token manipulation: stealing tokens from other processes, thread impersonation, privilege escalation, and UAC bypass.
Architecture Overview
graph TD
subgraph "win/token"
STEAL["Steal(pid)"]
STEALNAME["StealByName(name)"]
STEALDUP["StealViaDuplicateHandle()"]
OPEN["OpenProcessToken()"]
INTERACTIVE["Interactive()"]
PRIV["EnableAllPrivileges()"]
TOKEN["*Token"]
STEAL --> TOKEN
STEALNAME --> STEAL
STEALDUP --> TOKEN
OPEN --> TOKEN
INTERACTIVE --> TOKEN
TOKEN --> PRIV
end
subgraph "win/impersonate"
LOGON["LogonUserW()"]
IMP["ImpersonateLoggedOnUser()"]
THREAD["ImpersonateThread()"]
THREAD --> LOGON --> IMP
end
subgraph "win/privilege"
ISADMIN["IsAdmin()"]
EXECAS["ExecAs()"]
LOGONCREATE["CreateProcessWithLogon()"]
RUNAS["ShellExecuteRunAs()"]
end
subgraph "privesc/uac"
FOD["FODHelper()"]
SLUI["SLUI()"]
SILENT["SilentCleanup()"]
EVT["EventVwr()"]
end
TOKEN -.->|"used by"| THREAD
TOKEN -.->|"used by"| EXECAS
Documentation
| Document | Description |
|---|---|
| Token Theft | Steal, StealByName, StealViaDuplicateHandle |
| Thread Impersonation | LogonUserW + ImpersonateLoggedOnUser |
| Privilege Escalation | ExecAs, CreateProcessWithLogon, UAC bypass |
Quick decision tree
| You want to… | Use |
|---|---|
| …steal a primary token from another PID | token-theft.md — Steal(pid) |
| …steal a token by process name | token-theft.md — StealByName(name) |
…run code as domain\user with credentials | impersonation.md — ImpersonateThread |
…run code as NT AUTHORITY\SYSTEM | impersonation.md — GetSystem (winlogon clone) |
…run code as TrustedInstaller | impersonation.md — GetTrustedInstaller |
…enable SeDebugPrivilege (or any SeXxx) on the current token | privilege-escalation.md — EnablePrivilege |
| …spawn a child process under alternate credentials | privilege-escalation.md — ExecAs(...) |
| …check if I'm admin / elevated right now | privilege-escalation.md — IsAdmin() |
| …trigger a UAC consent prompt and elevate | privilege-escalation.md — ShellExecuteRunAs |
MITRE ATT&CK
| Technique | ID | Description |
|---|---|---|
| Access Token Manipulation | T1134 | Token theft and manipulation |
| Token Impersonation/Theft | T1134.001 | Thread impersonation |
| Abuse Elevation Control Mechanism: UAC Bypass | T1548.002 | FODHelper, SLUI, SilentCleanup, EventVwr |
D3FEND Countermeasures
| Countermeasure | ID | Description |
|---|---|---|
| Token Authentication and Authorization Normalization | D3-TAAN | Monitor token manipulation |
| User Account Profiling | D3-UAP | Detect privilege escalation |
See also
tokens/token-theft.md— open + duplicate primary tokenstokens/impersonation.md— run code under a stolen contexttokens/privilege-escalation.md— adjust SeXxx privilegessyscallstechniques (index) — sibling Layer-1 area