Access Tokens

Access Tokens are created by the kernel when user authentication occurs. Access tokens store information regarding the users integrity level (low,medium,high,system), privileges, and other things inside of the Windows kernel.

A default Windows Local Administrator account has two access tokens by default. The first one operates at standard user medium integrity while the second one is used occasionally to "Run as Administrator" at a high integrity. Under this scenario when the Admin wants to access the high integrity token they will be prompted by the User Account Control (UAC) security concent prompt mechanism.

Abuse

The SEImpersonatePrivilege allows for an attacker to impersonate any token on the system. Three accounts (Network Service Account, Local Service Account, and the IIS Account) typically have this privilege by default. This is frequently used as method for escalating permissions on a domain.

For instance after escalating to Admin it's currently trivial to escalate to system using the print_spool technique. Once system has been achieved if a domain admin or other priviledged user has an active connection it's possible to use meterpreter icognito to hijack their token and run commands using their elavated domain credentials.

meterpreter > load incognito
meterpreter > list_tokens -u   ## -u for unqiue
meterpreter > impersonate_token user\\domain_admin