Access token manipulation: What it is and how to detect it

  • Home
  • Access token manipulation: What it is and how to detect it

Network security has crossed leaps and bounds over the years in order to protect what users value the most: data! As organizations grow and the number of users increases, the vulnerability of the organization also increases, as various users have access to different resources.

There is only so much that can be done in terms of physical perimeters for resources; passwords can be hacked and accounts can be infiltrated. This is why the best way to secure your data is with identity-driven security. This approach can help verify and authenticate users before they are given access to resources; it also helps in managing and monitoring the access given to different users. One approach to identity-driven security is with token-based authentication.

What is token-based authentication?

Token-based authentication is a protocol that allows users to verify their identity. The verified user can then proceed to access resources, websites, and apps without needing to reenter their credentials (at least until the token expires).

There are three types of authentication tokens:

  1. Connected: These include any physical items that are plugged into the system, such as keys, disks, drives, etc. Examples include USB devices and smart cards.
  2. Contactless: The device is close enough to the server to communicate with it without plugging in. An example of this type would be Microsoft's Magic Ring.
  3. Disconnected: Communication between the device and server takes place over long distances. This type of token can be found in two-factor authentication processes.

There are various steps in the token authentication process, including:

  1. Request: A request to access a server is raised. This involves using a password to log in.
  2. Verification: The server determines if the user can have access.
  3. Tokens: After verification, the user is issued a token by the server.
  4. Storage: The token is stored within the user's browser and validates their identity for all processes performed by the user. The token is valid for a specified period of time before it expires, upon which the user will have to log in again.

Let's take a look at what an access token is and how it can be manipulated by adversaries to access higher level resources.

What is an access token?

Access tokens are a piece of code that contain user credentials and profile details such as the group to which the user belongs, their privileges, and more; these are used to validate the authenticity of the user's access. The purpose of this is to validate the identity of the user and, in doing so, identify the user's security context.

In a network, the security context defines the user's identity and their authentication information, including their SID, groups, and level of privileges. A user establishes their security context when they present their credentials for authentication. This process authenticates the user in any future running processes and authorizes access to privileged resources.

The access tokens are created when a user successfully authenticates into a system and usually expires once the user session ends or if the token expires. Access tokens come in two types—primary tokens and impersonation tokens.

Primary tokens contain the security context of the user account whereas impersonation tokens are used by the servers to impersonate the client process in security operations.

For instance, when a local user logs in to their system, the Local Security Authority creates an access token for that user, which is the primary token.

On the other hand, when a user wants to perform security operations on network resources, an impersonation token is created. The services built for carrying out these critical operations creates a client token and impersonates the client to perform the requested operation.

However, these tokens can also be manipulated by adversaries to elevate their privileges, access resources, and run processes that they would otherwise be unable to do.

What is access token manipulation?

Access token manipulation is a technique often used to escalate privileges or permissions of a user. This attack type is listed under Privilege Escalation in the MITRE ATT&CK threat modelling framework.

When an adversary manages to compromise a user account with few privileges, they next move laterally within the network to get hold of an account with high privileges such as a system, administrator, or service account.

During access token manipulation privilege escalation, adversaries may modify the access token to bypass access controls. Impersonating a system access token can be beneficial for attackers, as an administrator account may lack certain privileges they need.

    There are four sub-techniques that fall under the category of access token manipulation. They are:

  1. Token impersonation or theft
  2. Adversaries can duplicate a stolen token and then impersonate the compromised user to access privileged resources.

  3. Process creation using a token
  4. Adversaries may use the stolen and duplicated token to create new processes that run under the security context of the impersonated user.

  5. PPID spoofing
  6. Adversaries can use this technique to spoof the Parent Process Identifier (PPID) to evade process monitoring defenses and escalate privileges.

  7. SID history injection
  8. Windows security identifiers (SIDs) are unique IDs that identifies a user, computer account, or group. Using this technique, adversaries may inject or harvest well-known SIDs in an access token's SID history in order to escalate privileges and access restricted resources.

Access token manipulation detection

Since the access token manipulation attack technique takes advantage of authentication protocol operations, it can be difficult to detect. However, you can detect access token manipulation if you monitor the right Windows functions. Here are some actions to look out for:

  1. If the adversary is using a command-line shell, analysts should look for use of the runas command. This command can be detected by monitoring event logs.
  2. If the adversary calls the Windows token APIs directly, you can detect access token manipulation by carefully analyzing the network activity and running processes. Analysts should look for the use of LogonUser, DuplicateTokenEx, and ImpersonateLoggedOnUser.

Please note that these commands and API calls can be used for legitimate functions as well. Monitoring the processes and token thread information and looking for inconsistencies can help detect access token manipulation. This includes monitoring logins that take place through the Command Line Interface along with the use of the runas command within a short time frame.

Consistent monitoring of network activity can be overwhelming if you're doing it manually; instead, you can automate network activity monitoring using an integrated log management solution like Log360.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.