Lateral movement: Access token manipulation

What are access tokens?

Access tokens are used by Windows applications to access APIs. An access token contains information like who initiated a process, the app that generated the token and its expiry time.

What is access token manipulation?

An attacker can manipulate access tokens to make a process appear to be initiated by some other user account, while in reality the request could have been initiated from the account compromised by the attacker in your network.

Attackers leverage access tokens to escalate privileges from the administrative level to a SYSTEM level to perform malicious activities, and access systems in your network remotely to exploit various system processes to their benefit.

How is access token manipulation carried out?

An attacker should have access to a privileged user account to get hold of access tokens of any process in the Windows environment.

The attackers obtain access tokens in one of the following three ways:

1. Stealing access tokens

An attacker can use the following built-in Windows API functions to copy and use existing tokens of other processes to perform malicious activities:

• DuplicateTokenEx() function is used to create duplicate tokens of existing access tokens.
• ImpersonateLoggedOnUser() function is used to impersonate another user to run the process. The attackers ensure that the impersonated user has all the necessary permissions to run the process.
• Also, the attackers can use SetThreatToken() function to assign an impersonated token to a thread.
2. Creating a new process with a stolen access token

Attackers can use a duplicated token to create a new process using the CreateProcessWithTokenW() function. This function allows the attackers to create tokens implementing the security context of any user they choose to impersonate.

3. Creating Logon sessions

Attackers can remotely create logon sessions for users if they have the credentials of any user account using the LogonUser() function.They can then obtain a token under the logged in user's security context which they can assign to a thread to run a process.

Note: runas command

Any user can use the runas command and perform operations impersonating other users. This context is often used by system admins, as they login to systems as standard users and further execute administrative processes using runas command.

Best practices to follow to mitigate access token manipulation

• As attackers can take full advantage of access tokens and their built-in functions only from a privileged user account, it is highly recommended that you monitor all privileged user accounts for suspicious activities as these accounts can create, enable, disable and assign permissions to system and user accounts.
• Adopt the principle of least privilege (POLP) to ensure no users or roles have more than the necessary privileges.
• Manage your Group Policies regularly to check if only the authorized personnel can create, duplicate or replace access tokens.
• Monitor logins that take place through Command Line Interface.
• Usage of runas command has to be monitored at proximity to identify impersonation.

How to monitor your network efficiently?

You can follow the above mentioned best practices and also constantly monitor the activities of users and devices in your network to harden the security framework. It can be quite overwhelming to monitor your perimeter defense device logs, your system logs and privileged and other user activity to mitigate threats in your network. You can use a log management solution to avoid the hassle.

EventLog Analyzer is a log management solution that can collect logs from all your network devices in a centralized location, parse and analyze them. It uses its powerful correlation engine to correlate activities from all parts of your network. It can monitor privileged user activity and generate reports on User Logons, User Logoffs, Failed Logons, Successful User Account Validation, and Failed User Account Validation, to name a few. It can identify anomalous activities and flag them as threats. EventLog Analyzer allows you to configure real-time alerts to notify you via SMS and email in case of an attack.Check out other features of EventLog Analyzer now.