x

Access Tokens - Enumerating Windows

17.4.1 - Access Tokens Overview

https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens
Upon user authentication, an access token is generated by Windows and assigned to the user. The token contains data that determines the security context of the user and is later used for performing authorisation checks. They contain:

  • The SID for the user's account
  • SIDs for the groups the user is currently a member of
  • A logon SID identifying the user's current logon session
  • A list of privs held by the user or user's groups
  • An owner SID
  • Primary group SID
  • Default DACL the system uses when the user creates a secure-able object.
  • Source of the access token
  • If the token is a primary or impersonation token
  • An optional list of restricting SIDs
  • Current impersonation levels
  • Other statistics

When a user starts a process or thread, a token is assigned to these objects, the token is called a primary token and specifies the permissions of the process/thread. Processes and threads can also have an impersonation token assigned, used for chenging security context over the process that owns the thread.

Retrieve primary tokens with the following win32 APIs:

  • OpenProcessToken()
  • OpenThreadToken()

Show user/group SIDs and privileges (SeDebug, SeImpersonate, etc) 

whoami /all

List current token access privileges 

Get-TokenInformation -TokenType TokenPrivileges

Mimikatz and probably some Metasploit info here

FullPowers

Probably cannot use this on OSCP but keep note of it.
This is a PoC tool for recovering the default privilege set of a service account including SeAssignPrimaryToken and SeImpersonate.
https://github.com/itm4n/FullPowers

Left-click: follow link, Right-click: select node, Scroll: zoom
x