Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UNDERSTANDING
WINDOWS ACCESS
TOKEN MANIPULATION
Justin Bui (@slyd0g)
FINDING ALTERNATIVES TO
WINLOGON.EXE
WHO AM I?
▪ @slyd0g
▪ Red teamer at SpecterOps
▪ Interested in all things security
and skateboarding
2
GOALS
1. Windows authentication and access tokens
2. Understanding access token manipulation
3. Impersonating SYSTEM with ...
1.
WINDOWS
AUTHENTICATION &
ACCESS TOKENS
What are access tokens? How do we
obtain them? What are they used for?
“An access token is an object
that describes the security
context of a process or
thread. The information in a
token inclu...
SECURITY PRINCIPALS
- Security principals are any entity that can be
authenticated by the OS
- User accounts
- Computer ac...
WINDOWS AUTHENTICATION
- User authenticates with credentials
- Logon session is created
- Windows returns user SID and gro...
WINDOWS LOGON SCENARIOS
- Interactive logon (credentials in lsass.exe)
- Console login (type 2)
- RDP (type 10)
- PsExec (...
WHAT IS AN ACCESS TOKEN?
- Kernel object that describes the security context of a
process/thread
- Contain the following i...
PURPOSE OF AN ACCESS TOKEN?
- Every process created by the user will receive a copy of
the access token
- When a thread at...
ACCESS TOKENS IN ACTION
- Example: User opens PowerShell.exe and runs
Get-Content C:test.txt
- PowerShell.exe receives a c...
SUMMARY
- When a user successfully authenticates an access token
is created
- Every process created by the user will recei...
2.
ACCESS TOKEN
MANIPULATION
How do we steal an access token?
14
STEALING ACCESS TOKENS
OPENPROCESS DOCS
15 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
1 – OPENPROCESS
- Specify a process ID (PID)
- Request with one of the permissions:
- PROCESS_ALL_ACCESS
- PROCESS_QUERY_I...
OPENPROCESSTOKEN DOCS
17 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openpro...
2 – OPENPROCESSTOKEN
- Pass in process handle from OpenProcess
- Permissions needed for ImpersonateLoggedOnUser:
- TOKEN_Q...
IMPERSONATELOGGEDONUSER DOCS
19 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impe...
3A – IMPERSONATELOGGEDONUSER
- Pass in token handle from OpenProcessToken
- Current thread will impersonate user specified...
DUPLICATETOKENEX DOCS
21 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicateto...
3B – DUPLICATETOKENEX
- Pass in token handle from OpenProcessToken
- Permissions needed for
CreateProcessWithTokenW:
- TOK...
CREATEPROCESSWITHTOKENW DOCS
23 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtok...
4 – CREATEPROCESSWITHTOKENW
- Pass in token handle from DuplicateTokenEx
- Takes path to executable, command line
argument...
PUTTING IT ALL TOGETHER
25 https://github.com/slyd0g/PrimaryTokenTheft
ATTACKER USE CASE
- Impersonate another user with running
processes from interactive logon
- Lateral movement
- Domain esc...
3.
IMPERSONATING
SYSTEM
Getting all the privileges
https://twitter.com/monoxgas/status/1109892490566336512
28
STEALING A SYSTEM TOKEN
29
4.
ALTERNATIVES TO
WINLOGON.EXE
Do they exist? What security
permissions allow this?
METHODOLOGY
ASK A
QUESTION
CREATE A
CONCLUSION
PERFORM AN
EXPERIMENT
31
REPEAT
METHODOLOGY (CONT.)
1. Ask a question
- Do other processes like winlogon.exe exist?
2. Perform an experiment
- Bruteforce ...
Access denied during OpenProcess :(
33
Access denied during OpenProcessToken :(
34
Success! :)
35
CREATE A CONCLUSION
- Other SYSTEM processes can also have their
access token stolen!
- lsass.exe
- OfficeClickToRun.exe
-...
REPEAT
1. Ask a question
- What security settings cause this behavior?
2. Perform an experiment
- Compare winlogon.exe to ...
https://twitter.com/monoxgas/status/1109892490566336512
38
COMPARING SESSION ID
39
ADVANCED SECURITY SETTINGS
40
ADVANCED SECURITY SETTINGS
41
ADVANCED SECURITY SETTINGS
42
SECURITY DESCRIPTORS
43
THE BREAKTHROUGH!
44
THE BREAKTHROUGH!
45
WHAT IS OWNER?
- Owner field in Process Explorer
refers to TokenOwner
- Value from
TOKEN_INFORMATION_CLASS
- Enumerate wit...
GET-TOKEN.PS1
47
PowerShell script to enumerate all Process and
Thread tokens. Thanks vector-sec!
UserName vs OwnerName
- TOKEN_USER identifies the user associated
with the access token
- TOKEN_OWNER identifies the user ...
Get-Token | Where-Object {$_.UserName -eq ‘NT AUTHORITYSYSTEM’ -and
$_.OwnerName -ne ‘NT AUTHORITYSYSTEM’} | Select-Object...
CREATE A CONCLUSION
- Successful token theft
- winlogon.exe
- lsass.exe
- dllhost.exe
- unsecapp.exe
- svchost.exe
- ...
-...
REPEAT
1. Ask a question
- What security settings cause this behavior?
2. Perform an experiment
- Look for a common proper...
Taking a look at wininit.exe and csrss.exe
52
OPENPROCESS ERRORS
53
OPENPROCESS ERRORS
54
PROTECTED
55
56 https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Will this work? Only one way to find out!
57
STEALING TOKEN FROM PPL PROCESS
58
IMPORTANCE OF CHALLENGING ASSUMPTIONS
59
Documentation for
OpenProcessToken and
OpenProcess 😹
CREATE A CONCLUSION
PROCESS_QUERY_INFORMATION
- winlogon.exe
- lsass.exe
- dllhost.exe
- unsecapp.exe
- svchost.exe (some ...
REFERENCES
- https://posts.specterops.io/understanding-and-defending-agai
nst-access-token-theft-finding-alternatives-to-w...
THANK YOU
- Big thanks to my coworkers Matt Graeber and Jared Atkinson for
helping me dig into these topics as well as pus...
THANK YOU!
Any questions?
You can find me at:
@slyd0g
justin@specterops.io
63
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
What to Upload to SlideShare
Next
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

6

Share

Understanding Windows Access Token Manipulation

Download to read offline

Finding alternatives to winlogon.exe to steal SYSTEM access tokens from.
Presented at HushCon 2019

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Understanding Windows Access Token Manipulation

  1. 1. UNDERSTANDING WINDOWS ACCESS TOKEN MANIPULATION Justin Bui (@slyd0g) FINDING ALTERNATIVES TO WINLOGON.EXE
  2. 2. WHO AM I? ▪ @slyd0g ▪ Red teamer at SpecterOps ▪ Interested in all things security and skateboarding 2
  3. 3. GOALS 1. Windows authentication and access tokens 2. Understanding access token manipulation 3. Impersonating SYSTEM with access token theft 4. Finding alternatives to winlogon.exe 3
  4. 4. 1. WINDOWS AUTHENTICATION & ACCESS TOKENS What are access tokens? How do we obtain them? What are they used for?
  5. 5. “An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. 5 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  6. 6. SECURITY PRINCIPALS - Security principals are any entity that can be authenticated by the OS - User accounts - Computer accounts - Security groups - Processes/threads - Basis of controlling access to securable objects in Windows - Represented in the OS by a unique security identifier (SID) 6 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
  7. 7. WINDOWS AUTHENTICATION - User authenticates with credentials - Logon session is created - Windows returns user SID and group SIDs - Local Security Authority (LSA) creates an access token - Successful authentication with credentials -> Logon session -> Token -> Process/Thread - Credentials may be stored in memory based on logon type 7 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
  8. 8. WINDOWS LOGON SCENARIOS - Interactive logon (credentials in lsass.exe) - Console login (type 2) - RDP (type 10) - PsExec (type 2) - Network logon (credentials are not in memory) - WMI (type 3) - WinRM (type 3) - Smart card logon - Biometric logon 8 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
  9. 9. WHAT IS AN ACCESS TOKEN? - Kernel object that describes the security context of a process/thread - Contain the following information: - User account security identifier (SID) - Group SIDs - Logon SID - Owner SID - List of privileges held by user/group - Token integrity level - Token type (primary/impersonation) 9 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  10. 10. PURPOSE OF AN ACCESS TOKEN? - Every process created by the user will receive a copy of the access token - When a thread attempts to access a securable object or perform a task that requires privilege, Windows checks the access token - By default, a thread will use the primary token of a process 10 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  11. 11. ACCESS TOKENS IN ACTION - Example: User opens PowerShell.exe and runs Get-Content C:test.txt - PowerShell.exe receives a copy of the user’s access token - Thread running Get-Content uses PowerShell.exe’s primary access token by default - Files are a securable object in Windows! - OS compares access token to discretionary access control list (DACL) on C:test.txt - If user has permission to read the file, access is granted 11 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
  12. 12. SUMMARY - When a user successfully authenticates an access token is created - Every process created by the user will receive a copy of the access token - Windows checks the access token when a thread attempts to access a securable object or perform a task that requires privilege - Attackers care about access tokens resulting from interactive logons 12
  13. 13. 2. ACCESS TOKEN MANIPULATION How do we steal an access token?
  14. 14. 14 STEALING ACCESS TOKENS
  15. 15. OPENPROCESS DOCS 15 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
  16. 16. 1 – OPENPROCESS - Specify a process ID (PID) - Request with one of the permissions: - PROCESS_ALL_ACCESS - PROCESS_QUERY_INFORMATION - PROCESS_QUERY_LIMITED_INFORMATION - Returns a process handle - Allows us to interact with the process object 16 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
  17. 17. OPENPROCESSTOKEN DOCS 17 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
  18. 18. 2 – OPENPROCESSTOKEN - Pass in process handle from OpenProcess - Permissions needed for ImpersonateLoggedOnUser: - TOKEN_QUERY - TOKEN_DUPLICATE - Permissions needed for DuplicateTokenEx: - TOKEN_DUPLICATE - Returns a token handle - Allows us to interact with the token object 18 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
  19. 19. IMPERSONATELOGGEDONUSER DOCS 19 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
  20. 20. 3A – IMPERSONATELOGGEDONUSER - Pass in token handle from OpenProcessToken - Current thread will impersonate user specified by access token - Effectively “become” that user - Interact with OS using impersonated permissions :) - RevertToSelf reverts impersonated permissions 20 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
  21. 21. DUPLICATETOKENEX DOCS 21 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
  22. 22. 3B – DUPLICATETOKENEX - Pass in token handle from OpenProcessToken - Permissions needed for CreateProcessWithTokenW: - TOKEN_QUERY - TOKEN_DUPLICATE - TOKEN_ASSIGN_PRIMARY - TOKEN_ADJUST_DEFAULT - TOKEN_ADJUST_SESSIONID - Returns a new token handle useable with CreateProcessWithTokenW 22 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
  23. 23. CREATEPROCESSWITHTOKENW DOCS 23 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
  24. 24. 4 – CREATEPROCESSWITHTOKENW - Pass in token handle from DuplicateTokenEx - Takes path to executable, command line arguments, logon type, STARTUPINFO structure - Creates process with stolen access token! 24 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
  25. 25. PUTTING IT ALL TOGETHER 25 https://github.com/slyd0g/PrimaryTokenTheft
  26. 26. ATTACKER USE CASE - Impersonate another user with running processes from interactive logon - Lateral movement - Domain escalation - Spawn processes as another user - Impersonate SYSTEM - Get all the privileges 26
  27. 27. 3. IMPERSONATING SYSTEM Getting all the privileges
  28. 28. https://twitter.com/monoxgas/status/1109892490566336512 28
  29. 29. STEALING A SYSTEM TOKEN 29
  30. 30. 4. ALTERNATIVES TO WINLOGON.EXE Do they exist? What security permissions allow this?
  31. 31. METHODOLOGY ASK A QUESTION CREATE A CONCLUSION PERFORM AN EXPERIMENT 31 REPEAT
  32. 32. METHODOLOGY (CONT.) 1. Ask a question - Do other processes like winlogon.exe exist? 2. Perform an experiment - Bruteforce list of SYSTEM processes 3. Create a conclusion - ??? 32
  33. 33. Access denied during OpenProcess :( 33
  34. 34. Access denied during OpenProcessToken :( 34
  35. 35. Success! :) 35
  36. 36. CREATE A CONCLUSION - Other SYSTEM processes can also have their access token stolen! - lsass.exe - OfficeClickToRun.exe - dllhost.exe - unsecapp.exe - Why does this work? 36 ��
  37. 37. REPEAT 1. Ask a question - What security settings cause this behavior? 2. Perform an experiment - Compare winlogon.exe to “known good” processes 3. Create a conclusion - ??? 37
  38. 38. https://twitter.com/monoxgas/status/1109892490566336512 38
  39. 39. COMPARING SESSION ID 39
  40. 40. ADVANCED SECURITY SETTINGS 40
  41. 41. ADVANCED SECURITY SETTINGS 41
  42. 42. ADVANCED SECURITY SETTINGS 42
  43. 43. SECURITY DESCRIPTORS 43
  44. 44. THE BREAKTHROUGH! 44
  45. 45. THE BREAKTHROUGH! 45
  46. 46. WHAT IS OWNER? - Owner field in Process Explorer refers to TokenOwner - Value from TOKEN_INFORMATION_CLASS - Enumerate with GetTokenInformation 46
  47. 47. GET-TOKEN.PS1 47 PowerShell script to enumerate all Process and Thread tokens. Thanks vector-sec!
  48. 48. UserName vs OwnerName - TOKEN_USER identifies the user associated with the access token - TOKEN_OWNER identifies the user who is owner of any process created with the access token - This was the key distinction we were looking for! 48
  49. 49. Get-Token | Where-Object {$_.UserName -eq ‘NT AUTHORITYSYSTEM’ -and $_.OwnerName -ne ‘NT AUTHORITYSYSTEM’} | Select-Object ProcessName,ProcessID | Format-Table49
  50. 50. CREATE A CONCLUSION - Successful token theft - winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe - ... - Unsuccessful token theft - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe - Why did these processes fail? 50 ��
  51. 51. REPEAT 1. Ask a question - What security settings cause this behavior? 2. Perform an experiment - Look for a common property in the ‘problematic’ processes 3. Create a conclusion - ??? 51
  52. 52. Taking a look at wininit.exe and csrss.exe 52
  53. 53. OPENPROCESS ERRORS 53
  54. 54. OPENPROCESS ERRORS 54
  55. 55. PROTECTED 55
  56. 56. 56 https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
  57. 57. Will this work? Only one way to find out! 57
  58. 58. STEALING TOKEN FROM PPL PROCESS 58
  59. 59. IMPORTANCE OF CHALLENGING ASSUMPTIONS 59 Documentation for OpenProcessToken and OpenProcess 😹
  60. 60. CREATE A CONCLUSION PROCESS_QUERY_INFORMATION - winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe (some PIDs) - OfficeClickToRun.exe - Sysmon64.exe - VGAuthService.exe - vmacthlp.exe - vmtoolsd.exe PROCESS_QUERY_LIMITED_INFORMATION - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe 60
  61. 61. REFERENCES - https://posts.specterops.io/understanding-and-defending-agai nst-access-token-theft-finding-alternatives-to-winlogon-exe- 80696c8a73b - https://github.com/slyd0g/PrimaryTokenTheft - https://docs.microsoft.com/en-us/ - https://ired.team/offensive-security/privilege-escalation/t1134 -access-token-manipulation - https://twitter.com/monoxgas/status/1109892490566336512 - https://gist.github.com/vector-sec/a049bf12da619d9af8f9c7d bd28d3b56 61
  62. 62. THANK YOU - Big thanks to my coworkers Matt Graeber and Jared Atkinson for helping me dig into these topics as well as pushing me to look into some detections (which I unfortunately didn’t have time to cover here) - Thanks to Brian Reitz for the awesome THPS2 photoshop :D - Thank you HushCon. - Thank you for coming and listening! 62
  63. 63. THANK YOU! Any questions? You can find me at: @slyd0g justin@specterops.io 63
  • DavidHouston46

    Jan. 23, 2020
  • KyawMInThein2

    Dec. 13, 2019
  • darkr4y

    Dec. 9, 2019
  • yashwaitforitroongta212

    Dec. 9, 2019
  • SamRassam

    Dec. 9, 2019
  • FlorinoIsleta1

    Dec. 9, 2019

Finding alternatives to winlogon.exe to steal SYSTEM access tokens from. Presented at HushCon 2019

Views

Total views

3,871

On Slideshare

0

From embeds

0

Number of embeds

182

Actions

Downloads

71

Shares

0

Comments

0

Likes

6

×