Access Token Manipulation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:00
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at access token manipulation. So let's go ahead and jump over to our objectives.
00:14
So today's objectives are as follows. We're going to describe access, token manipulation
00:22
we're going to look at. How has access token manipulation been years. We're going to look at what are some mitigation techniques, and then we're going to look at some detection techniques as well. Now, before we jump into the definition of access token, just kind of be aware that we're talking about Windows based,
00:41
uh, principles with respect to this token.
00:44
And we're not talking about things like session hijacking or taking advantage of, like websites and things of that nature to maybe intercepted users session token or doing something of that nature. This is really based on the given dish, in definition, when we're talking about it within the context of the minor attack framework.
01:03
So Windows uses tokens to determine ownership of a running process.
01:08
The's access tokens can be manipulated to appear as though it belongs to someone else. And so there's really three primary methods okay, in which threat actors can take advantage of this methods that you've got token impersonation or theft. You've got the ability to create a process with the token
01:29
and then make and impersonate
01:30
with respect to using the tokens. So
01:34
let's get into kind of the how methods. And in a short synopsis here, we're not going to get again in detail with how this works and how you would go about manipulating these tokens or Impersonating these in.
01:49
And that's because, you know, the depth of this course is not for penetration testing purposes. It's really for awareness
01:55
and the kind of understanding the threats that we're dealing with here. So, Turk, in token, excuse me, token impersonation or theft
02:05
is when a threat actor creates a new token that duplicates an existing one. And so commands such as duplicate token impersonate, logged on user and set thread token, or just a few examples of how AH Threat actor could potentially use some techniques to impersonate
02:23
Ah service or something of that nature
02:24
create processes with a token sore threat. Actor creates a process with the token, essentially Impersonating the security context of the user. So if your domain administrator on then I can, you know, create a process using the token
02:39
that would impersonate you. And so that's why when we talk about least privilege and things of that nature,
02:45
we want to ensure that we're using what is absolutely necessary to achieve our day to day tasks and typically checking email on doing things of that nature are not reserved for domain administrative accounts making impersonated tokens. So the Threat Factory uses the user's credentials too long in
03:04
and create a token that they can then assign to its red. Essentially so, the creation of impersonation tokens does not require access
03:13
to an administrative accounts. To take that in mind that, you know, you could have a standard user account that conducive impersonations, and this could be, ah, way that the Threat actor could start to investigate a system or really stretch their legs with a user's account.
03:28
Which is why we would also want to think about things such as routine password policy changes or policy, you know, password policies. There we go that include routine password changes and things that nature said that it credentials are stolen and a threat actor doesn't immediately act on this credentials. There could be
03:46
ah, possibility that the, you know users account maybe isn't used or that this isn't half happening on that account.
03:53
So let's talk about just a few brief mitigation techniques here so we can limit user permissions to not allow token creation. So this could be done through local system accounts Onley Using group policy. You can limit user rights to create and replace tokens,
04:10
and then we could limit user permissions to not allow for administrative account use in day to day tasks.
04:16
So, really, what we're talking about here is again just mitigating factors on tokens. If the token is stolen or I'm sorry if the password on a countess stolen as's faras the credentials, then you know limiting the user's ability to do these things is one thing. But then having other controls in place
04:35
that would potentially mitigate the ability of the user
04:40
who has had their account compromised.
04:43
Toe log in later. You know, as far as having that password reset or having it changed every 60 90 120 days, whatever the case may be can help to mitigate some risk as well.
04:55
Soas faras detection techniques on it command line activity for token manipulation commands. And so remember, there are ways that we can actually pull
05:03
into our long ingested ingestion system. Or just if we're looking to just flat out generate long data on command line activity, we can look for instances of the run as command and enable any detailed logging functions. And so
05:20
sometimes these things aren't set up right out the box, are there not configured in a way to collect the appropriate syntax that you would need for doing? You know, some of those defensive activities are to even get the types of commander looking for long.
05:35
So just ensure that when you're setting up these types of functions toe long these types of activities that you're going to collect the event I ds or
05:43
the syntax of those commands, it's going to help you to identify a risk. So with that in mind, let's go ahead and do a quick check on learning
05:51
which of the following is not a command, a common method for leveraging access tokens.
06:00
All right, so if you need additional time,
06:02
please take it now in positive video. So I can tell you that we touched on each of these eso token impersonation is, um,
06:15
valid.
06:15
All right, so create a process where the token is valid and making impersonate with a token is valid. Token interception
06:25
is actually not a common method for leveraging access tokens. And so for those of you that have had experience with, um session hijacking or you've watched maybe content on that you may
06:38
have thought or interpreted that interception of that are maybe like intercepting a session. But in this case, we're just talking about those three methods within windows.
06:46
And so token interception is not a common method for leveraging access tokens. So let's go ahead and step over to our summary. So we described access token manipulation and then that there were really three primary types of that, and this is dealing with windows tokens. We described how access token manipulation
07:05
has been used and can be used.
07:09
We describes the mitigation techniques and we look at some detection techniques as well. So remember, even though we didn't touch on at least privilege, always rings true here. Ensuring that users have
07:25
good hygiene is far. Cybersecurity is concerned on that those practices were being followed
07:30
and they're limiting the ability of a threat actor to really still their credentials Or, you know, maybe not falling victim to fishing and things of that nature. So that all plays a part in this and protecting against token manipulation. So with that in mind, I want to thank you for your time today and I look forward to seeing you again Sin.
Up Next
Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By