Windows Security — Access Token
“Access Token” is an object which represents the access rights/privileges/identity for a specific process/thread. The operating system uses the access token in order to identify the user when a specific thread interacts with a securable object (https://medium.com/@boutnaru/windows-securable-objects-311a9d6c83ad) or when it tries to perform a system task (that requires some kind of privilege). (https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens).
Thus, if a user authenticates to a system, the Local Security Authority (LSA) creates an access token (to be accurate it is the primary access token, as described in more detail later). It contains the SID of the user, the SIDs of all the groups the user belongs to, a list of privileges, the SID of the owner (user/group), the primary group (for POSIX subsystems), default DACL, source (process that caused the token to be created — RPC/LAN Manager/Session Manager/etc), type (primary/impersonation), impersonation level, restricting SIDs, Terminal service session ID (if relevant), session reference, SandBox inert, audit policy and origin — as shown in the diagram below (https://learn.microsoft.com/pt-pt/previous-versions/windows/server/cc783557(v=ws.10)).
Moreover, using different Win32 API functions we can read/manipulate access tokens. For example we can use “OpenProcessToken” (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken) or “OpenThreadToken” (https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthreadtoken) in order to get an handle to the access token of the process/thread. Also, we can use “DuplicateTokenEx” (https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex) for duplicating the access token of the current process and “CreateProcessWithTokenW” (https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw) which allows creation of a process with a specified token.
Lastly, the access token is stored in kernel mode using “struct _TOKEN” (https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation). Also, I am going to elaborate on the different fields of an access token in future writeups.
See you next time ;-) You can also follow me on twitter — @boutnaru (https://twitter.com/boutnaru).
