Successfully reported this slideshow.
Your SlideShare is downloading. ×

Understanding Windows Access Token Manipulation

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 63 Ad
Advertisement

More Related Content

Slideshows for you (20)

Similar to Understanding Windows Access Token Manipulation (20)

Advertisement

Recently uploaded (20)

Understanding Windows Access Token Manipulation

  1. 1. UNDERSTANDING WINDOWS ACCESS TOKEN MANIPULATION Justin Bui (@slyd0g) FINDING ALTERNATIVES TO WINLOGON.EXE
  2. 2. WHO AM I? ▪ @slyd0g ▪ Red teamer at SpecterOps ▪ Interested in all things security and skateboarding 2
  3. 3. GOALS 1. Windows authentication and access tokens 2. Understanding access token manipulation 3. Impersonating SYSTEM with access token theft 4. Finding alternatives to winlogon.exe 3
  4. 4. 1. WINDOWS AUTHENTICATION & ACCESS TOKENS What are access tokens? How do we obtain them? What are they used for?
  5. 5. “An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread. 5 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  6. 6. SECURITY PRINCIPALS - Security principals are any entity that can be authenticated by the OS - User accounts - Computer accounts - Security groups - Processes/threads - Basis of controlling access to securable objects in Windows - Represented in the OS by a unique security identifier (SID) 6 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
  7. 7. WINDOWS AUTHENTICATION - User authenticates with credentials - Logon session is created - Windows returns user SID and group SIDs - Local Security Authority (LSA) creates an access token - Successful authentication with credentials -> Logon session -> Token -> Process/Thread - Credentials may be stored in memory based on logon type 7 https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-principals
  8. 8. WINDOWS LOGON SCENARIOS - Interactive logon (credentials in lsass.exe) - Console login (type 2) - RDP (type 10) - PsExec (type 2) - Network logon (credentials are not in memory) - WMI (type 3) - WinRM (type 3) - Smart card logon - Biometric logon 8 https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
  9. 9. WHAT IS AN ACCESS TOKEN? - Kernel object that describes the security context of a process/thread - Contain the following information: - User account security identifier (SID) - Group SIDs - Logon SID - Owner SID - List of privileges held by user/group - Token integrity level - Token type (primary/impersonation) 9 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  10. 10. PURPOSE OF AN ACCESS TOKEN? - Every process created by the user will receive a copy of the access token - When a thread attempts to access a securable object or perform a task that requires privilege, Windows checks the access token - By default, a thread will use the primary token of a process 10 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
  11. 11. ACCESS TOKENS IN ACTION - Example: User opens PowerShell.exe and runs Get-Content C:test.txt - PowerShell.exe receives a copy of the user’s access token - Thread running Get-Content uses PowerShell.exe’s primary access token by default - Files are a securable object in Windows! - OS compares access token to discretionary access control list (DACL) on C:test.txt - If user has permission to read the file, access is granted 11 https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
  12. 12. SUMMARY - When a user successfully authenticates an access token is created - Every process created by the user will receive a copy of the access token - Windows checks the access token when a thread attempts to access a securable object or perform a task that requires privilege - Attackers care about access tokens resulting from interactive logons 12
  13. 13. 2. ACCESS TOKEN MANIPULATION How do we steal an access token?
  14. 14. 14 STEALING ACCESS TOKENS
  15. 15. OPENPROCESS DOCS 15 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
  16. 16. 1 – OPENPROCESS - Specify a process ID (PID) - Request with one of the permissions: - PROCESS_ALL_ACCESS - PROCESS_QUERY_INFORMATION - PROCESS_QUERY_LIMITED_INFORMATION - Returns a process handle - Allows us to interact with the process object 16 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
  17. 17. OPENPROCESSTOKEN DOCS 17 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
  18. 18. 2 – OPENPROCESSTOKEN - Pass in process handle from OpenProcess - Permissions needed for ImpersonateLoggedOnUser: - TOKEN_QUERY - TOKEN_DUPLICATE - Permissions needed for DuplicateTokenEx: - TOKEN_DUPLICATE - Returns a token handle - Allows us to interact with the token object 18 https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
  19. 19. IMPERSONATELOGGEDONUSER DOCS 19 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
  20. 20. 3A – IMPERSONATELOGGEDONUSER - Pass in token handle from OpenProcessToken - Current thread will impersonate user specified by access token - Effectively “become” that user - Interact with OS using impersonated permissions :) - RevertToSelf reverts impersonated permissions 20 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
  21. 21. DUPLICATETOKENEX DOCS 21 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
  22. 22. 3B – DUPLICATETOKENEX - Pass in token handle from OpenProcessToken - Permissions needed for CreateProcessWithTokenW: - TOKEN_QUERY - TOKEN_DUPLICATE - TOKEN_ASSIGN_PRIMARY - TOKEN_ADJUST_DEFAULT - TOKEN_ADJUST_SESSIONID - Returns a new token handle useable with CreateProcessWithTokenW 22 https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
  23. 23. CREATEPROCESSWITHTOKENW DOCS 23 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
  24. 24. 4 – CREATEPROCESSWITHTOKENW - Pass in token handle from DuplicateTokenEx - Takes path to executable, command line arguments, logon type, STARTUPINFO structure - Creates process with stolen access token! 24 https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
  25. 25. PUTTING IT ALL TOGETHER 25 https://github.com/slyd0g/PrimaryTokenTheft
  26. 26. ATTACKER USE CASE - Impersonate another user with running processes from interactive logon - Lateral movement - Domain escalation - Spawn processes as another user - Impersonate SYSTEM - Get all the privileges 26
  27. 27. 3. IMPERSONATING SYSTEM Getting all the privileges
  28. 28. https://twitter.com/monoxgas/status/1109892490566336512 28
  29. 29. STEALING A SYSTEM TOKEN 29
  30. 30. 4. ALTERNATIVES TO WINLOGON.EXE Do they exist? What security permissions allow this?
  31. 31. METHODOLOGY ASK A QUESTION CREATE A CONCLUSION PERFORM AN EXPERIMENT 31 REPEAT
  32. 32. METHODOLOGY (CONT.) 1. Ask a question - Do other processes like winlogon.exe exist? 2. Perform an experiment - Bruteforce list of SYSTEM processes 3. Create a conclusion - ??? 32
  33. 33. Access denied during OpenProcess :( 33
  34. 34. Access denied during OpenProcessToken :( 34
  35. 35. Success! :) 35
  36. 36. CREATE A CONCLUSION - Other SYSTEM processes can also have their access token stolen! - lsass.exe - OfficeClickToRun.exe - dllhost.exe - unsecapp.exe - Why does this work? 36 ��
  37. 37. REPEAT 1. Ask a question - What security settings cause this behavior? 2. Perform an experiment - Compare winlogon.exe to “known good” processes 3. Create a conclusion - ??? 37
  38. 38. https://twitter.com/monoxgas/status/1109892490566336512 38
  39. 39. COMPARING SESSION ID 39
  40. 40. ADVANCED SECURITY SETTINGS 40
  41. 41. ADVANCED SECURITY SETTINGS 41
  42. 42. ADVANCED SECURITY SETTINGS 42
  43. 43. SECURITY DESCRIPTORS 43
  44. 44. THE BREAKTHROUGH! 44
  45. 45. THE BREAKTHROUGH! 45
  46. 46. WHAT IS OWNER? - Owner field in Process Explorer refers to TokenOwner - Value from TOKEN_INFORMATION_CLASS - Enumerate with GetTokenInformation 46
  47. 47. GET-TOKEN.PS1 47 PowerShell script to enumerate all Process and Thread tokens. Thanks vector-sec!
  48. 48. UserName vs OwnerName - TOKEN_USER identifies the user associated with the access token - TOKEN_OWNER identifies the user who is owner of any process created with the access token - This was the key distinction we were looking for! 48
  49. 49. Get-Token | Where-Object {$_.UserName -eq ‘NT AUTHORITYSYSTEM’ -and $_.OwnerName -ne ‘NT AUTHORITYSYSTEM’} | Select-Object ProcessName,ProcessID | Format-Table49
  50. 50. CREATE A CONCLUSION - Successful token theft - winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe - ... - Unsuccessful token theft - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe - Why did these processes fail? 50 ��
  51. 51. REPEAT 1. Ask a question - What security settings cause this behavior? 2. Perform an experiment - Look for a common property in the ‘problematic’ processes 3. Create a conclusion - ??? 51
  52. 52. Taking a look at wininit.exe and csrss.exe 52
  53. 53. OPENPROCESS ERRORS 53
  54. 54. OPENPROCESS ERRORS 54
  55. 55. PROTECTED 55
  56. 56. 56 https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
  57. 57. Will this work? Only one way to find out! 57
  58. 58. STEALING TOKEN FROM PPL PROCESS 58
  59. 59. IMPORTANCE OF CHALLENGING ASSUMPTIONS 59 Documentation for OpenProcessToken and OpenProcess 😹
  60. 60. CREATE A CONCLUSION PROCESS_QUERY_INFORMATION - winlogon.exe - lsass.exe - dllhost.exe - unsecapp.exe - svchost.exe (some PIDs) - OfficeClickToRun.exe - Sysmon64.exe - VGAuthService.exe - vmacthlp.exe - vmtoolsd.exe PROCESS_QUERY_LIMITED_INFORMATION - csrss.exe - services.exe - smss.exe - wininit.exe - Memory Compression.exe 60
  61. 61. REFERENCES - https://posts.specterops.io/understanding-and-defending-agai nst-access-token-theft-finding-alternatives-to-winlogon-exe- 80696c8a73b - https://github.com/slyd0g/PrimaryTokenTheft - https://docs.microsoft.com/en-us/ - https://ired.team/offensive-security/privilege-escalation/t1134 -access-token-manipulation - https://twitter.com/monoxgas/status/1109892490566336512 - https://gist.github.com/vector-sec/a049bf12da619d9af8f9c7d bd28d3b56 61
  62. 62. THANK YOU - Big thanks to my coworkers Matt Graeber and Jared Atkinson for helping me dig into these topics as well as pushing me to look into some detections (which I unfortunately didn’t have time to cover here) - Thanks to Brian Reitz for the awesome THPS2 photoshop :D - Thank you HushCon. - Thank you for coming and listening! 62
  63. 63. THANK YOU! Any questions? You can find me at: @slyd0g justin@specterops.io 63

×