The Hunters Hut
The Hunters Hut

Blog

property
value
tags
offensive-tradecraft,privilege-escalation,process-injection,threat-hunting,token-compromise
url
http://divyanshudiwakar.com/index.php/writing-your-own-token-stealer/
original_word_count
1705

Article Excerpt

Hey Guyz! I am writing this blog with respect to my recent project TokenStealer, which can help to steal the access token of a user when an attacker has local Administrator privileges.

Long Summary

TokenStealer is a project that allows an attacker with local Administrator privileges to steal the access token of a user. SeDebug Privilege is a dangerous privilege that allows users to debug processes owned by other users, and can be enabled by clicking β€œRun As Administrator” when starting cmd.exe. The GetTokenInformation API is used to check the Integrity Level of the current process token, and the AdjustTokenPrivilege API is used to assign the SeDebug Privilege to the user token. The process of the target user is found, and the OpenProcessToken API is used to get the handle to the access token of the process. The DuplicateTokenEx API is used to get the token of the target user, and the CreateProcessWithTokenW API is used to create a process with the access token, in this case cmd.exe. This article explains the code and Windows API used in the TokenStealer project, and how it can be used to steal the access token of a user. It also explains the SeDebug Privilege and how it can be abused by threat actors. The article provides a detailed explanation of the code and the Windows API used, and how they are used to enable the SeDebug Privilege and steal the access token of a user. It is a useful resource for security professionals and those interested in understanding the code and Windows API used in the TokenStealer project.

Short Summary

πŸ““ Blog

πŸ‘‰πŸ½ Hey Guyz! I am writing this blog with respect to my recent project TokenStealer, which can help to steal the access token of a user when an attacker has local Administrator privileges. πŸ‘‰πŸ½ TokenStealer project allows an attacker to steal a user's access token. πŸ‘‰πŸ½ SeDebug Privilege enables debugging processes owned by others. πŸ‘‰πŸ½ GetTokenInformation API checks the Integrity Level of the current process token. πŸ‘‰πŸ½ AdjustTokenPrivilege API assigns SeDebug Privilege to the user token. πŸ‘‰πŸ½ OpenProcessToken API obtains the handle to the access token of the target process. πŸ‘‰πŸ½ DuplicateTokenEx API retrieves the target user's token. πŸ‘‰πŸ½ CreateProcessWithTokenW API creates a process with the stolen access token. πŸ‘‰πŸ½ Article explains the code and Windows API used in TokenStealer project. πŸ‘‰πŸ½ It explains how SeDebug Privilege can be abused by threat actors. πŸ‘‰πŸ½ A resource for understanding the code and Windows API in TokenStealer project.

πŸ”— source link: http://divyanshudiwakar.com/index.php/writing-your-own-token-stealer/

πŸ”— summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/blog

#TokenStealer #AccessTokenTheft #SeDebugPrivilege #WindowsAPI #Security

LinkedIn

ThreatHunterz.com