8 hours 28 minutes
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at access token manipulation. So let's go ahead and jump over to our objectives.
So today's objectives are as follows. We're going to describe access, token manipulation
we're going to look at. How has access token manipulation been years. We're going to look at what are some mitigation techniques, and then we're going to look at some detection techniques as well. Now, before we jump into the definition of access token, just kind of be aware that we're talking about Windows based,
uh, principles with respect to this token.
And we're not talking about things like session hijacking or taking advantage of, like websites and things of that nature to maybe intercepted users session token or doing something of that nature. This is really based on the given dish, in definition, when we're talking about it within the context of the minor attack framework.
So Windows uses tokens to determine ownership of a running process.
The's access tokens can be manipulated to appear as though it belongs to someone else. And so there's really three primary methods okay, in which threat actors can take advantage of this methods that you've got token impersonation or theft. You've got the ability to create a process with the token
and then make and impersonate
with respect to using the tokens. So
let's get into kind of the how methods. And in a short synopsis here, we're not going to get again in detail with how this works and how you would go about manipulating these tokens or Impersonating these in.
And that's because, you know, the depth of this course is not for penetration testing purposes. It's really for awareness
and the kind of understanding the threats that we're dealing with here. So, Turk, in token, excuse me, token impersonation or theft
is when a threat actor creates a new token that duplicates an existing one. And so commands such as duplicate token impersonate, logged on user and set thread token, or just a few examples of how AH Threat actor could potentially use some techniques to impersonate
Ah service or something of that nature
create processes with a token sore threat. Actor creates a process with the token, essentially Impersonating the security context of the user. So if your domain administrator on then I can, you know, create a process using the token
that would impersonate you. And so that's why when we talk about least privilege and things of that nature,
we want to ensure that we're using what is absolutely necessary to achieve our day to day tasks and typically checking email on doing things of that nature are not reserved for domain administrative accounts making impersonated tokens. So the Threat Factory uses the user's credentials too long in
and create a token that they can then assign to its red. Essentially so, the creation of impersonation tokens does not require access
to an administrative accounts. To take that in mind that, you know, you could have a standard user account that conducive impersonations, and this could be, ah, way that the Threat actor could start to investigate a system or really stretch their legs with a user's account.
Which is why we would also want to think about things such as routine password policy changes or policy, you know, password policies. There we go that include routine password changes and things that nature said that it credentials are stolen and a threat actor doesn't immediately act on this credentials. There could be
ah, possibility that the, you know users account maybe isn't used or that this isn't half happening on that account.
So let's talk about just a few brief mitigation techniques here so we can limit user permissions to not allow token creation. So this could be done through local system accounts Onley Using group policy. You can limit user rights to create and replace tokens,
and then we could limit user permissions to not allow for administrative account use in day to day tasks.
So, really, what we're talking about here is again just mitigating factors on tokens. If the token is stolen or I'm sorry if the password on a countess stolen as's faras the credentials, then you know limiting the user's ability to do these things is one thing. But then having other controls in place
that would potentially mitigate the ability of the user
who has had their account compromised.
Toe log in later. You know, as far as having that password reset or having it changed every 60 90 120 days, whatever the case may be can help to mitigate some risk as well.
Soas faras detection techniques on it command line activity for token manipulation commands. And so remember, there are ways that we can actually pull
into our long ingested ingestion system. Or just if we're looking to just flat out generate long data on command line activity, we can look for instances of the run as command and enable any detailed logging functions. And so
sometimes these things aren't set up right out the box, are there not configured in a way to collect the appropriate syntax that you would need for doing? You know, some of those defensive activities are to even get the types of commander looking for long.
So just ensure that when you're setting up these types of functions toe long these types of activities that you're going to collect the event I ds or
the syntax of those commands, it's going to help you to identify a risk. So with that in mind, let's go ahead and do a quick check on learning
which of the following is not a command, a common method for leveraging access tokens.
All right, so if you need additional time,
please take it now in positive video. So I can tell you that we touched on each of these eso token impersonation is, um,
All right, so create a process where the token is valid and making impersonate with a token is valid. Token interception
is actually not a common method for leveraging access tokens. And so for those of you that have had experience with, um session hijacking or you've watched maybe content on that you may
have thought or interpreted that interception of that are maybe like intercepting a session. But in this case, we're just talking about those three methods within windows.
And so token interception is not a common method for leveraging access tokens. So let's go ahead and step over to our summary. So we described access token manipulation and then that there were really three primary types of that, and this is dealing with windows tokens. We described how access token manipulation
has been used and can be used.
We describes the mitigation techniques and we look at some detection techniques as well. So remember, even though we didn't touch on at least privilege, always rings true here. Ensuring that users have
good hygiene is far. Cybersecurity is concerned on that those practices were being followed
and they're limiting the ability of a threat actor to really still their credentials Or, you know, maybe not falling victim to fishing and things of that nature. So that all plays a part in this and protecting against token manipulation. So with that in mind, I want to thank you for your time today and I look forward to seeing you again Sin.
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered