Transcription
Detecting Access TokenManipulationWilliam BurgessSecurity Research Engineer@joehowwolf
#whoami
#whoami Security researcher @ Elastic (formerly ENDGAME) Former security consultant at MWR Interests include Windows internals and everything undocumented,reverse engineering, and development of endpoint protections @joehowwolf
Objectives
ObjectivesHelp defence practitioners understand: How access tokens work in Windows environments How attackers abuse legitimate Windows functionality to movelaterally and compromise entire Active Directory domains Their capability to detect and respond to access token manipulationwithin their environment
Agenda1Windows Security Internals2How Attackers Abuse Access Tokens3Detecting Access Token Manipulation
Agenda1Windows Security Internals2How Attackers Abuse Access Tokens3Detecting Access Token Manipulation
Agenda1Windows Security Internals2How Attackers Abuse Access Tokens3Detecting Access Token Manipulation
Windows SecurityInternals:Logon sessions andAccess Tokens
Logon Sessions and Access TokensLSAASTRO\cosmop4ssw0rd!4
Logon Sessions and Access TokensDCLSAASTRO\cosmop4ssw0rd!4
Logon Sessions and Access TokensDCLSAASTRO\cosmop4ssw0rd!4
Logon Sessions and Access TokensAccessTokenInteractive Logon Sessionfor: ASTRO\cosmoDCLSAASTRO\cosmop4ssw0rd!4
Logon Sessions and Access TokensInteractive Logon Sessionfor: ASTRO\cosmoAccessTokenLogon Session: 00000000:01c7a354User: ASTRO\cosmoLogon Type: InteractiveSession: 1User: ASTRO\cosmoUser SID: S-1-5-21-36.32-1106AuthID: 00000000:01c7a354Integrity: MediumProgramming Windows Security, Keith Brown (2000)
Logon Sessions and Access TokensInteractive Logon Sessionfor: ASTRO\cosmoAccessTokenLogon Session: 00000000:01c7a354User: ASTRO\cosmoLogon Type: InteractiveSession: 1User: ASTRO\cosmoUser SID: S-1-5-21-36.32-1106AuthID: 00000000:01c7a354Integrity: MediumProgramming Windows Security, Keith Brown (2000)
Logon Sessions and Access TokensASTRO\cosmop4ssw0rd!4
Logon Sessions and Access ssTokenInteractive Session // Winsta0
Logon Sessions and Access TokensInteractive Session // sw0rd!4PrimaryAccessTokenPrimaryAccessTokenProcess Failure Modes, James Forshaw: https://www.youtube.com/watch?v dB3seu4o24APrimaryAccessToken
Logon Sessions and Access TokensInteractive Session // /chromium.googlesource.com/chromium/src/ n
Logon Sessions and Access TokensInteractive Session // aryAccessTokenfile.txt
Logon Sessions and Access TokensInteractive Session // aryAccessTokenDesired Access:READ ONLYfile.txt
Logon Sessions and Access TokensInteractive Session // aryAccessTokenDesired Access:READ ONLYfile.txtSecurityDescriptor
Windows Security Internals:Network Authentication
Network Authentication
Network AuthenticationCLIENTPrimaryAccessTokenInteractive Logon Sessionfor: ASTRO\cosmoSERVER\\MISTAKENOT-DC-1
Network AKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoCached 3/powershell-and-token-impersonation/
Network ctive Logon Sessionfor: ASTRO\cosmoCached CredentialsAttempt toaccess anetworkresource\\MISTAKENOT-DC-1
Network t toaccess anetworkresource\\MISTAKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoNetworkauthenticationvia Kerberos orNTLMCached Credentials
Network t toaccess anetworkresource\\MISTAKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoNetwork Logon Session for:ASTRO\cosmoNetworkauthenticationvia Kerberos orNTLMCached CredentialsImpersonationAccessToken
Network t toaccess anetworkresource\\MISTAKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoNetwork Logon Session for:ASTRO\cosmoNetworkauthenticationvia Kerberos orNTLMCached CredentialsNO CACHEDCREDENTIALSImpersonationAccessToken
Impersonation
Impersonation From the server’s perspective, we now have a handle to a token but how do weactually use it? Access tokens provide an abstraction for developers to make “localizedchanges” to the security context without affecting other processes* However, in multi-threaded applications, problems and difficult to debug raceconditions may arise if different threads start enabling or disabling differentprivileges or modifying DACLS Impersonation allows a thread to switch to a different security context (bydefault threads will inherit the same security context as the primary token ofthe process)*Programming Windows Security, Keith Brown (2000)
d3Thread4
enprivileges
nAccessTokenThread2Thread3Thread4
Network Authentication12User isre-authenticated overthe network (eitherNTLM or Kerberos)A new network logonsession for the user iscreated345The server process is The server can use this All subsequent accesspresented with antoken to impersonatechecks will use theimpersonation token the client to performremote client’s accesswhich links back to the work on their behalftokenremote client’s newlogon session
Network Authentication For most of Windows’ communication protocols (RPC, DCOM, Namedpipes) this process is handled automatically The server only needs to call the appropriate API in order to obtain ahandle to the remote clients’ security context (e.g. access token) andstart impersonating the client via functions such ramming Windows Security, Keith Brown (2000)
How Attackers AbuseAccess TokensATT&CK technique: T1134
Initial Compromise Situation: An attacker has obtained a foothold in a corporate networkby phishing a business user They have a shell in the context of the compromised user (who has noprivileges across the domain) and any attempts to authenticateremotely will use the compromised user’s credentials (which are nogood!) The attacker must move laterally but what can they do?
Token Manipulation: The ‘Art of the Possible’1Steal the token of an already logged-on privileged user(non-network logon)2Create a new logon session with stolen credentials andimpersonate the returned token/spawn a new process with it3Change the cached credentials associated with their currentaccess token to stolen credentials (e.g. legitimately via anAPI or by directly modifying lsass memory)
/NETONLYThe Curious NETONLY ows-access-tokens-and-alternate-credentials/
/NETONLY The Windows API provides the LogonUserA/W() function(s) to create anew logon session for a given user (or principal) Both are wrappers around LogonUserExExW() in SspiCli.dllBOOL LogonUserA(LPCSTR lpszUsername,LPCSTR lpszDomain,LPCSTR ,PHANDLE phToken);dwLogonType LOGON32 LOGON onuserexexw
/NETONLY If you receive a primary token and wish to impersonate you must firstconvert it to an impersonation token via DuplicateTokenEx:BOOL DuplicateTokenEx(HANDLEDWORDLPSECURITY ATTRIBUTESSECURITY IMPERSONATION LEVELTOKEN nTokenType i-duplicatetokenex
/NETONLY If you receive an impersonation token you can use eitherSetThreadToken or ImpersonateLoggedOnUser to enable the callingthread to impersonate the security context of the logged-on userBOOL SetThreadToken(PHANDLE Thread,HANDLE Token);BOOL ImpersonateLoggedOnUser(HANDLE personateloggedonuser
/NETONLY If you receive an impersonation token you can use eitherSetThreadToken or ImpersonateLoggedOnUser to enable the callingthread to impersonate the security context of the logged-on user Both are wrappers around undoc NtSetInformationThread in NtdllBOOL SetThreadToken(PHANDLE Thread,HANDLE Token);BOOL ImpersonateLoggedOnUser(HANDLE SetInformationThread.html
/NETONLYToken returnedCache Credentials?Is returned tokenelevated? (if admin)PrimaryYesNo (UAC applies)Interactive (RID-500/ LocalAdmin)PrimaryYesYesNetwork(LOGON32 LOGON NETWORK)ImpersonationNoYes ( all privs enabled)Network (RID-500/ LocalAdmin)ImpersonationNoDepends on remote UACsettings*dwLogonTypeInteractive(LOGON32 LOGON INTERACTIVE)*See for more dows
/NETONLYBOOL LogonUserA(Administrator,ASTRO,x2yts68u!,LOGON32 LOGON INTERACTIVE,.);
/NETONLYBOOL LogonUserA(Administrator,ASTRO,x2yts68u!,LOGON32 LOGON INTERACTIVE,.);
/NETONLYBOOL LogonUserA(Administrator,ASTRO,x2yts68u!,LOGON32 LOGON NEW CREDENTIALS,.);
teractive Logon Sessionfor: ASTRO\cosmoCached Credentials for:ASTRO\cosmo
teractive Logon Sessionfor: ASTRO\cosmoCached Credentials for:ASTRO\cosmoNewCredentials LogonSession for: ASTRO\cosmoCached Credentials for:ASTRO\Administrator
/NETONLYSERVERCLIENTAttempt to access anetwork resourceAccessToken\\MISTAKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoCached Credentials for:ASTRO\cosmoNewCredentials LogonSession for: ASTRO\cosmoCached Credentials for:ASTRO\Administrator
/NETONLYSERVERCLIENTAttempt to access anetwork resourceAccessToken\\MISTAKENOT-DC-1Interactive Logon Sessionfor: ASTRO\cosmoNewCredentials LogonSession for: ASTRO\cosmoNetwork Logon Session for:ASTRO\AdministratorNetworkauthenticationvia Kerberos orNTLMCached Credentials for:ASTRO\cosmoCached Credentials 21/Covenant/Data/Tasks/MakeToken.task#L17
CreateProcessWithLogonW Can replicate the same behaviour with CreateProcessWithLogonW!BOOL CreateProcessWithLogonW rd,DWORDdwLogonFlags entDirectory,LPSTARTUPINFOWlpStartupInfo,LPPROCESS INFORMATION lpProcessInformation);dwLogonFlags LOGON NETCREDENTIALS /api/winbase/nf-winbase-createprocesswithlogonw
/NETONLY DEMOThe Curious NETONLY ows-access-tokens-and-alternate-credentials/
Pass-The-TicketTaming the Three-Headed Dog.
Pass-The-TicketTGT for cosmo@ASTROCached Kerberos credentials forASTRO\cosmoPrimaryAccessTokenInteractive Logon Sessionfor: ASTRO\cosmoUser: ASTRO\cosmoUser SID: S-1-5-21-36.32-1106AuthID: rberos (protocol)#Protocol
Pass-The-TicketTGT forAdministrator@ASTROCached Kerberos credentials forASTRO\cosmoInteractive Logon Sessionfor: ASTRO\cosmoPrimaryAccessTokenUser: ASTRO\cosmoUser SID: S-1-5-21-36.32-1106AuthID: .com/GhostPack/Rubeus
Pass-The-TicketNTSTATUS LsaConnectUntrusted(PHANDLE LsaHandle);NTSTATUS A STRING me MICROSOFT KERBEROS NAME i/nf-ntsecapi-lsalookupauthenticationpackage
TUS ULONGReturnBufferLength,PNTSTATUS 2ffa/mimikatz/modules/kerberos/kuhl m kerberos.c#L54
Pass-The-TicketKerbSubmitTicketMessageTypedef struct KERB SUBMIT TKT REQUEST {KERB PROTOCOL MESSAGE TYPE MessageType;LUID LogonId;ULONG Flags;KERB CRYPTO KEY32 Key;ULONG KerbCredSize;ULONG K
Programming Windows Security, Keith Brown (2000) Logon Sessions and Access Tokens. Interactive Logon Session for: ASTRO\cosmo. Access Token. User: ASTRO\cosmo User SID: S-1-5-21-36.32-1106 AuthID: 00000000:01c7a354 Integrity: Medium Logon Session: 00000000:01c7a354 User: ASTRO\cosmo Logon Type: Interactive Session: 1.
