1. Home
  2. Techniques
  3. Enterprise
  4. 访问令牌操控

访问令牌操控

ID Name
T1134.001 进程继承令牌注入
T1134.002 动态令牌上下文克隆
T1134.003 跨会话令牌桥接
T1134.004 可信进程链令牌伪装

访问令牌操控是攻击者通过篡改进程安全上下文实现权限提升的关键技术,其核心在于利用Windows身份验证机制的设计特性,通过令牌窃取、复制或伪造等手段,使恶意进程获得超出其原始权限的资源访问能力。传统防御手段主要依赖进程行为审计(如检测异常父-子进程关系)、令牌完整性校验(验证令牌签名及权限变更记录)以及用户账户控制(UAC)机制,通过监控敏感API调用(如DuplicateTokenEx)和异常权限变更事件来识别攻击行为。

为规避传统检测机制,攻击者持续进化出多维度匿迹技术,通过动态上下文克隆、进程链伪装、跨域权限桥接等创新手法,将令牌操控行为深度融入系统正常操作流程。新型攻击技术突破静态特征检测的局限,构建出"权限隐身"与"行为融合"的双重匿迹体系。

当前访问令牌操控匿迹技术的演进趋势呈现三大特征:首先是操作时序的动态化,攻击者采用即时捕获、按需克隆的令牌使用模式,避免长期持有高权限凭证引发的检测风险;其次是系统组件的寄生化,通过劫持可信进程的创建流程或注入系统核心服务,实现令牌操控行为与合法系统操作的深度绑定;最后是攻击链路的分散化,将完整的权限提升过程拆解为多个低特权操作,利用进程迁移、跨会话注入等技术实现攻击阶段的时空分离。这些技术通过伪造进程继承关系、模拟合法权限变更模式、以及利用系统审计盲区,成功规避了基于单点异常检测的安全机制,迫使防御体系必须构建跨进程、跨会话的关联分析能力。

匿迹技术的发展导致传统基于API监控和日志审计的检测方法面临失效风险,防御方需加强内存行为分析、令牌数字指纹验证等深度检测能力,同时实施严格的进程血缘关系图谱监控,通过实时比对内核级对象状态与用户态审计日志的差异,识别隐蔽的令牌操控行为。

ID: T1134
Sub-techniques:  T1134.001, T1134.002, T1134.003, T1134.004
Tactics: 防御规避, 权限提升
Platforms: Windows
Permissions Required: Administrator, User
Effective Permissions: SYSTEM
Defense Bypassed: Heuristic Detection, Host Forensic Analysis, System Access Controls, Windows User Account Control
Contributors: Jared Atkinson, @jaredcatkinson; Robby Winchester, @robwinchester3; Tom Ueltschi @c_APT_ure; Travis Smith, Tripwire
Version: 2.0
Created: 14 December 2017
Last Modified: 30 March 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过伪造进程继承链和篡改令牌元数据,使恶意进程在安全日志中呈现为可信父进程派生。例如将攻击进程伪装成svchost.exe的子进程,并同步修改进程环境块中的父进程ID,使得基于进程树分析的检测系统无法识别异常。这种深度伪装使得恶意令牌操作具备合法进程的行为特征。

行为透明

通过利用系统未公开的API接口和内核级操作,攻击者实施的令牌克隆与注入过程完全绕过用户态监控机制。例如直接修改内核对象管理器中的令牌指针,使得权限变更操作不会触发常规审计事件,导致防御方无法感知安全上下文的异常切换。

时空释痕

采用分阶段攻击策略,将完整的令牌操控过程拆解为多个低特权操作,通过跨会话注入、间歇性权限激活等手段稀释攻击特征。例如在不同时间点分别执行令牌窃取、进程迁移和权限激活操作,使得单一安全事件无法反映完整的攻击链条,增加防御方关联分析的难度。

Procedure Examples

ID Name Description
S0622 AppleSeed

AppleSeed can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API.[1]
S1068 BlackCat

BlackCat has the ability modify access tokens.[2][3]
G0108 Blue Mockingbird

Blue Mockingbird has used JuicyPotato to abuse the SeImpersonate token privilege to escalate from web application pool accounts to NT Authority\SYSTEM.[4]
C0017 C0017

During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local NT AUTHORITY\SYSTEM privilege escalation.[5]
S0625 Cuba

Cuba has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges.[6]
S0038 Duqu

Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.[7]
S0363 Empire

Empire can use PowerSploit's Invoke-TokenManipulation to manipulate access tokens.[8]
G0037 FIN6

FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.[9]
S0666 Gelsemium

Gelsemium can use token manipulation to bypass UAC on Windows7 systems.[10]
S0697 HermeticWiper

HermeticWiper can use AdjustTokenPrivileges to grant itself privileges for debugging with SeDebugPrivilege, creating backups with SeBackupPrivilege, loading drivers with SeLoadDriverPrivilege, and shutting down a local system with SeShutdownPrivilege.[11][12]
S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can adjust token privileges.[13]
S0607 KillDisk

KillDisk has attempted to get the access token of a process by calling OpenProcessToken. If KillDisk gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges.[14]
S1060 Mafalda

Mafalda can use AdjustTokenPrivileges() to elevate privileges.[15]
S0576 MegaCortex

MegaCortex can enable SeDebugPrivilege and adjust token privileges.[16]
S0378 PoshC2

PoshC2 can use Invoke-TokenManipulation for manipulating tokens.[17]
S0194 PowerSploit

PowerSploit's Invoke-TokenManipulation Exfiltration module can be used to manipulate tokens.[18][19]
S0446 Ryuk

Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.[20]
S0633 Sliver

Sliver has the ability to manipulate user tokens on targeted Windows systems.[21][22]
S0058 SslMM

SslMM contains a feature to manipulate process privileges and tokens.[23]
S0562 SUNSPOT

SUNSPOT modified its security token to grants itself debugging privileges by adding SeDebugPrivilege.[24]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [25] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[26]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[27]
M1018 User Account Management

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Modification

Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
DS0017 Command Command Execution

Monitor executed commands and arguments for token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[28]
DS0009 Process OS API Execution

Monitor for API calls, loaded by a payload, for token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. There are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser [29], DuplicateTokenEx[30], and ImpersonateLoggedOnUser[31]). Please see the referenced Windows API pages for more information.
Process Creation

Monitor for executed processes that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.
Process Metadata

Query systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.[32] Look for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.
DS0002 User Account User Account Metadata

Monitor for contextual data about an account, which may include a username, user ID, environmental data, etc. that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

References

  1. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  2. Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
  3. Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
  4. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  5. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  6. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  7. Kaspersky Lab. (2015, June 11). The Duqu 2.0. Retrieved April 21, 2017.
  8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  9. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  10. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  11. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  12. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  13. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  14. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  15. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  16. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  1. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  2. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  3. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  4. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  5. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  6. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  7. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  8. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  9. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
  10. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
  11. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
  12. Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
  13. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  14. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  15. Microsoft TechNet. (n.d.). Retrieved April 25, 2017.
  16. Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.