Download as PDF, PPTX
More Related Content
Similar to Understanding Windows Access Token Manipulation
![Hernan Ochoa - WCE Internals [RootedCON 2011]](https://cdn.slidesharecdn.com/ss_thumbnails/wceinternalsrootedcon2011ampliasecurity-110307133648-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Understanding Windows Access Token Manipulation
- 1. UNDERSTANDING WINDOWS ACCESS TOKEN MANIPULATION JustinBui (@slyd0g) FINDING ALTERNATIVES TO WINLOGON.EXE
- 2. WHO AM I? ▪@slyd0g ▪ Red teamer at SpecterOps ▪ Interested in all things security and skateboarding 2
- 3. GOALS 1. Windows authenticationand access tokens 2. Understanding access token manipulation 3. Impersonating SYSTEM with access token theft 4. Finding alternatives to winlogon.exe 3
- 4. 1. WINDOWS AUTHENTICATION & ACCESS TOKENS Whatare access tokens? How do we obtain them? What are they used for?
- 5. “An access tokenis an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. 5 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
- 6. SECURITY PRINCIPALS - Securityprincipals are any entity that can be authenticated by the OS - User accounts - Computer accounts - Security groups - Processes/threads - Basis of controlling access to securable objects in Windows - Represented in the OS by a unique security identifier (SID) 6 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
- 7. WINDOWS AUTHENTICATION - Userauthenticates with credentials - Logon session is created - Windows returns user SID and group SIDs - Local Security Authority (LSA) creates an access token - Successful authentication with credentials -> Logon session -> Token -> Process/Thread - Credentials may be stored in memory based on logon type 7 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
- 8. WINDOWS LOGON SCENARIOS -Interactive logon (credentials in lsass.exe) - Console login (type 2) - RDP (type 10) - PsExec (type 2) - Network logon (credentials are not in memory) - WMI (type 3) - WinRM (type 3) - Smart card logon - Biometric logon 8 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
- 9. WHAT IS ANACCESS TOKEN? - Kernel object that describes the security context of a process/thread - Contain the following information: - User account security identifier (SID) - Group SIDs - Logon SID - Owner SID - List of privileges held by user/group - Token integrity level - Token type (primary/impersonation) 9 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
- 10. PURPOSE OF ANACCESS TOKEN? - Every process created by the user will receive a copy of the access token - When a thread attempts to access a securable object or perform a task that requires privilege, Windows checks the access token - By default, a thread will use the primary token of a process 10 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
- 11. ACCESS TOKENS INACTION - Example: User opens PowerShell.exe and runs Get-Content C:test.txt - PowerShell.exe receives a copy of the user’s access token - Thread running Get-Content uses PowerShell.exe’s primary access token by default - Files are a securable object in Windows! - OS compares access token to discretionary access control list (DACL) on C:test.txt - If user has permission to read the file, access is granted 11 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- 12. SUMMARY - When auser successfully authenticates an access token is created - Every process created by the user will receive a copy of the access token - Windows checks the access token when a thread attempts to access a securable object or perform a task that requires privilege - Attackers care about access tokens resulting from interactive logons 12
- 13. 2. ACCESS TOKEN MANIPULATION How dowe steal an access token?
- 14.
- 15.
- 16. 1 – OPENPROCESS -Specify a process ID (PID) - Request with one of the permissions: - PROCESS_ALL_ACCESS - PROCESS_QUERY_INFORMATION - PROCESS_QUERY_LIMITED_INFORMATION - Returns a process handle - Allows us to interact with the process object 16 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
- 17.
- 18. 2 – OPENPROCESSTOKEN -Pass in process handle from OpenProcess - Permissions needed for ImpersonateLoggedOnUser: - TOKEN_QUERY - TOKEN_DUPLICATE - Permissions needed for DuplicateTokenEx: - TOKEN_DUPLICATE - Returns a token handle - Allows us to interact with the token object 18 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
- 19.
- 20. 3A – IMPERSONATELOGGEDONUSER -Pass in token handle from OpenProcessToken - Current thread will impersonate user specified by access token - Effectively “become” that user - Interact with OS using impersonated permissions :) - RevertToSelf reverts impersonated permissions 20 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
- 21.
- 22. 3B – DUPLICATETOKENEX -Pass in token handle from OpenProcessToken - Permissions needed for CreateProcessWithTokenW: - TOKEN_QUERY - TOKEN_DUPLICATE - TOKEN_ASSIGN_PRIMARY - TOKEN_ADJUST_DEFAULT - TOKEN_ADJUST_SESSIONID - Returns a new token handle useable with CreateProcessWithTokenW 22 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
- 23.
- 24. 4 – CREATEPROCESSWITHTOKENW -Pass in token handle from DuplicateTokenEx - Takes path to executable, command line arguments, logon type, STARTUPINFO structure - Creates process with stolen access token! 24 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
- 25. PUTTING IT ALLTOGETHER 25 https://github.com/slyd0g/PrimaryTokenTheft
- 26. ATTACKER USE CASE -Impersonate another user with running processes from interactive logon - Lateral movement - Domain escalation - Spawn processes as another user - Impersonate SYSTEM - Get all the privileges 26
- 27. 3. IMPERSONATING SYSTEM Getting all theprivileges
- 28.
- 29. STEALING A SYSTEMTOKEN 29
- 30. 4. ALTERNATIVES TO WINLOGON.EXE Do theyexist? What security permissions allow this?
- 31. METHODOLOGY ASK A QUESTION CREATE A CONCLUSION PERFORMAN EXPERIMENT 31 REPEAT
- 32. METHODOLOGY (CONT.) 1. Aska question - Do other processes like winlogon.exe exist? 2. Perform an experiment - Bruteforce list of SYSTEM processes 3. Create a conclusion - ??? 32
- 33. Access denied duringOpenProcess :( 33
- 34. Access denied duringOpenProcessToken :( 34
- 35.
- 36. CREATE A CONCLUSION -Other SYSTEM processes can also have their access token stolen! - lsass.exe - OfficeClickToRun.exe - dllhost.exe - unsecapp.exe - Why does this work? 36 ��
- 37. REPEAT 1. Ask aquestion - What security settings cause this behavior? 2. Perform an experiment - Compare winlogon.exe to “known good” processes 3. Create a conclusion - ??? 37
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46. WHAT IS OWNER? -Owner field in Process Explorer refers to TokenOwner - Value from TOKEN_INFORMATION_CLASS - Enumerate with GetTokenInformation 46
- 47. GET-TOKEN.PS1 47 PowerShell script toenumerate all Process and Thread tokens. Thanks vector-sec!
- 48. UserName vs OwnerName -TOKEN_USER identifies the user associated with the access token - TOKEN_OWNER identifies the user who is owner of any process created with the access token - This was the key distinction we were looking for! 48
- 49. Get-Token | Where-Object{$_.UserName -eq ‘NT AUTHORITYSYSTEM’ -and $_.OwnerName -ne ‘NT AUTHORITYSYSTEM’} | Select-Object ProcessName,ProcessID | Format-Table49
- 50. CREATE A CONCLUSION -Successful token theft - winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe - ... - Unsuccessful token theft - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe - Why did these processes fail? 50 ��
- 51. REPEAT 1. Ask aquestion - What security settings cause this behavior? 2. Perform an experiment - Look for a common property in the ‘problematic’ processes 3. Create a conclusion - ??? 51
- 52. Taking a lookat wininit.exe and csrss.exe 52
- 53.
- 54.
- 55.
- 56.
- 57. Will this work?Only one way to find out! 57
- 58. STEALING TOKEN FROMPPL PROCESS 58
- 59. IMPORTANCE OF CHALLENGINGASSUMPTIONS 59 Documentation for OpenProcessToken and OpenProcess 😹
- 60. CREATE A CONCLUSION PROCESS_QUERY_INFORMATION -winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe (some PIDs) - OfficeClickToRun.exe - Sysmon64.exe - VGAuthService.exe - vmacthlp.exe - vmtoolsd.exe PROCESS_QUERY_LIMITED_INFORMATION - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe 60
- 61. REFERENCES - https://posts.specterops.io/understanding-and-defending-agai nst-access-token-theft-finding-alternatives-to-winlogon-exe- 80696c8a73b - https://github.com/slyd0g/PrimaryTokenTheft -https://docs.microsoft.com/en-us/ - https://ired.team/offensive-security/privilege-escalation/t1134 -access-token-manipulation - https://twitter.com/monoxgas/status/1109892490566336512 - https://gist.github.com/vector-sec/a049bf12da619d9af8f9c7d bd28d3b56 61
- 62. THANK YOU - Bigthanks to my coworkers Matt Graeber and Jared Atkinson for helping me dig into these topics as well as pushing me to look into some detections (which I unfortunately didn’t have time to cover here) - Thanks to Brian Reitz for the awesome THPS2 photoshop :D - Thank you HushCon. - Thank you for coming and listening! 62
- 63. THANK YOU! Any questions? Youcan find me at: @slyd0g justin@specterops.io 63