Quick introduction to Windows Access Tokens for red team professionals
Learn about Windows Access Tokens and how they work.
You must have visited one of those places, where you are issued a colored band at the entry and it is tied around your wrist. From that moment onward and till the time you exit, that band becomes the part of your identity. Its presence on your wrist signifies that you are paid patron of that place, its color may signify the privileges you are entitled to within that place and there might be other indicators printed on the band to provide you additional authorizations.
Windows Access Tokens work in the similar manner. An access token is assigned to a process at the time of it’s creation and it stays with the process (and threads) until the process exits or is terminated. The access token contains information about what that process can or cannot access and what kind of privileges does it have on the system.
You can also think of an access token as a passport that contains information about a user and their permissions, allowing or restricting access to specific system resources.
Here’s the official definition of access tokens from Microsoft:
An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account associated with the process or thread.
The assignment of access tokens occurs during the Windows logon process. When a user logs in (via interactive, network, or service logon), the Winlogon.exe process interacts with the Local Security Authority Subsystem Service (LSASS) to verify credentials. Once authentication is successful, LSASS creates a logon session and generates an access token (primary token) for the user. This token is then assigned to the user session and all processes spawned under it. Any new processes inherit this token, ensuring that they run with the same security context. Additionally, when a service or process needs to operate on behalf of another user, it can request an impersonation token and temporarily switch its security context.
An access token containing several critical pieces of information, such as:
The user’s Security Identifier (SID)
Group memberships and their SIDs
Privileges assigned to the user or their groups
Logon session identifier
Owner and primary group SID
Default Discretionary Access Control List (DACL)
Token type (Primary or Impersonation)
Impersonation level (if applicable)
Other security attributes
Whenever a process attempts to access a secured object like a file, registry key, or another process, Windows checks the token to decide if access should be granted.
There are two main types of access tokens, primary access tokens and impersonation access tokens. A primary token is assigned to a process when it is created and defines the security context under which that process runs. It cannot be changed once the process is created, except by explicitly starting a new process with a different token. On the other hand, impersonation tokens allow a thread to temporarily assume another user’s security context. These tokens are useful when a service needs to perform actions on behalf of a user. Impersonation tokens also have different impersonation levels—Anonymous, Identification, Impersonation, and Delegation—which define how much control the impersonating thread has. The main difference between primary and impersonation tokens is that a primary token applies to an entire process, while an impersonation token is assigned at the thread level and can be changed dynamically.
Windows also enforces security through token integrity levels, which help restrict the actions a process can perform. These integrity levels—Low, Medium, High, and System—are enforced by User Account Control (UAC) to prevent unauthorized privilege escalation. Low integrity tokens are assigned to untrusted processes, such as a web browser running in sandboxed mode. Medium integrity is the default for standard user processes, while high integrity applies to elevated administrative processes. The system integrity level is reserved for core OS components and services running under the SYSTEM account. A process’s integrity level can be checked using PowerShell or the Windows API.
Windows enforces different restrictions based on whether a token was created via Network Logon or Non-Network Logon. A network logon token, used in scenarios like Remote Desktop (RDP) or SMB connections, lacks interactive privileges and cannot be used for local administrative actions. In contrast, a non-network logon token, such as one generated by an interactive or service logon, retains full user privileges, including local admin rights. This distinction is important for security, as network logon tokens limit the potential impact of compromised credentials.
You can use a tool like Process Hacker or Process Explorer to view a process’s token information.
You can also use a tool like TokenDump to display a process’s token information.
Under the hood all of these tools use OpenProcess(), OpenProcessToken() and GetTokenInformation() Windows APIs to access a process’s token information. Gurkirat Singh (tbhaxor), developer of Token Dump, has published a detailed write-up of how Token Dump works behind the scene.
Red Team Notes
- Windows Access Tokens define a user’s security context, controlling what they can and cannot do.
- Access tokens can be of two types, Primary and Impersonation.
- An impersonation access token can have one of the following impersonation levels -> Anonymous, Identification, Impersonation, and Delegation.
- Each token is protected by one of the following intergity levels -> Low, Medium, High, and System.
- A network logon token lacks interactive privileges and cannot be used for local administrative actions. In contrast, a non-network logon token retains full user privileges, including local admin rights.
- Token information can be accessed using tools like Process Hacker, Process Explorer, Token Dump. Under the hood all of these tools use OpenProcess(), OpenProcessToken() and GetTokenInformation() Windows APIs. Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
References