篡改访问令牌

Windows使用访问令牌来确定正在运行的进程的所有权。用户可以操纵访问令牌以使正在运行的进程看起来像它属于启动该进程的用户以外的其他人。发生这种情况时，该过程还将采用与新令牌关联的安全性上下文。例如，Microsoft提倡使用访问令牌作为安全性最佳实践。管理员应以标准用户身份登录，但使用内置访问令牌操作命令以管理员权限运行其工具runas。

攻击者可以使用访问令牌在不同的用户或系统安全性上下文下进行操作，以执行操作并逃避检测。攻击者可以使用内置的Windows API函数来复制现有进程中的访问令牌。这被称为令牌窃取。对手必须已经在特权用户上下文（即管理员）中才能窃取令牌。但是，攻击者通常使用令牌窃取将其安全上下文从管理员级别提升到SYSTEM级别。如果帐户对远程系统具有适当的权限，则对手可以使用令牌作为该令牌的帐户向远程系统进行身份验证。

攻击者可以通过以下三种方法来利用访问令牌：

Access Token Manipulation

Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[1]

Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.

Access tokens can be leveraged by adversaries through three methods:

令牌模拟/盗窃 -对手创建一个新的访问令牌，该令牌使用来复制现有令牌DuplicateToken(Ex)。然后可以将该令牌用于ImpersonateLoggedOnUser允许调用线程模拟已登录用户的安全上下文，或者SetThreadToken用于将模拟令牌分配给线程。当目标用户在系统上具有非网络登录会话时，这很有用。

Token Impersonation/Theft - An adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread. This is useful for when the target user has a non-network logon session on the system.

使用令牌创建流程 -对手DuplicateToken(Ex)使用CreateProcessWithTokenW来创建新的访问令牌，并将其用于创建在模拟用户的安全上下文下运行的新流程。这对于在其他用户的安全上下文下创建新流程很有用。

Create Process with a Token - An adversary creates a new access token with DuplicateToken(Ex) and uses it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

制作和模拟令牌 -对手具有用户名和密码，但用户未登录到系统。然后，对手可以使用该LogonUser功能为用户创建登录会话。该函数将返回新会话的访问令牌的副本，并且对手可以SetThreadToken用来将令牌分配给线程。

任何标准用户都可以使用runas命令和Windows API函数来创建模拟令牌。它不需要访问管理员帐户。

Metasploit的Meterpreter有效负载允许任意令牌操作，并使用令牌模拟来提升特权。Cobalt Strike信标有效载荷允许模拟任意令牌，也可以创建令牌。

Make and Impersonate Token - An adversary has a username and password but the user is not logged onto the system. The adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account.

Metasploit’s Meterpreter payload allows arbitrary token manipulation and uses token impersonation to escalate privileges. The Cobalt Strike beacon payload allows arbitrary token impersonation and can also create token

标签

ID编号： T1134

策略： 绕过防御，提权

平台： Windows

所需权限：user，administrator

有效权限： SYSTEM

数据源： API监测，访问令牌，进程监测，命令行参数

CAPEC ID： CAPEC-633

缓解措施

减轻	描述
特权账户管理 (M1026)	限制权限，以便用户和用户组无法创建令牌。仅应为本地系统帐户定义此设置。GPO：计算机配置> [策略]> Windows设置>安全设置>本地策略>用户权限分配：创建令牌对象。还定义谁可以通过GPO为本地和网络服务创建进程级别令牌：计算机配置> [策略]> Windows设置>安全设置>本地策略>用户权限分配：替换进程级别令牌。
用户帐号管理 (M1018)	对手必须已经在本地系统上具有管理员级别的访问权限，才能充分利用此技术。确保将用户和帐户限制为所需的最少特权。

Mitigation	Description
Privileged Account Management (M1026)	Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.
User Account Management (M1018)	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

检测

如果对手使用的是标准命令行shell，则分析人员可以通过审核命令行活动来检测令牌操纵。具体地说，分析人员应寻找该runas命令的使用。Windows默认情况下不启用详细的命令行日志记录。

如果对手使用直接调用Windows令牌API的有效负载，则分析人员只能通过仔细分析用户网络活动，检查运行的进程以及与其他端点和网络行为的关联来检测令牌操纵。

有效负载可以利用许多Windows API调用来操纵访问令牌（例如LogonUser [，DuplicateTokenEx和ImpersonateLoggedOnUser）。请参阅参考的Windows API页面以获取更多信息。

查询系统以获取进程和线程令牌信息，并查找不一致之处，例如用户拥有模拟本地SYSTEM帐户的进程。

If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.

If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.

There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser, DuplicateTokenEx[, and ImpersonateLoggedOnUser). Please see the referenced Windows API pages for more information.

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.