Access Token Manipulation
View on attack.mitre.org →15 syscalls implement this technique
- NtOpenProcess
Opens a handle to an existing process with a requested access mask.
- NtOpenProcessToken
Opens the access token associated with a process and returns a handle to it.
- NtOpenProcessTokenEx
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesToken
Enables or disables privileges in a specified access token.
- NtAdjustGroupsToken
Enables or disables groups (SIDs) in an access token, or resets group attributes to their default state.
- NtQueryInformationToken
Retrieves a specified class of information about an access token.
- NtSetInformationToken
Writes a property on an access token — integrity level, session id, owner, default DACL, audit policy, linked token.
- NtDuplicateToken
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtFilterToken
Creates a restricted (filtered) copy of an existing access token by disabling SIDs, deleting privileges, or adding restricted SIDs.
- NtImpersonateAnonymousToken
Assigns the well-known ANONYMOUS LOGON token to the specified thread.
- NtImpersonateThread
Causes the server thread to impersonate the security context of the client thread.
- NtCreateLowBoxToken
Derives a LowBox (AppContainer) token from an existing token — sets the package SID and capability list that gate broker IPC access.
- NtAlpcOpenSenderProcess
Server-side helper that opens a HANDLE to the process that sent a given ALPC message.
- NtAlpcOpenSenderThread
Server-side helper that opens a HANDLE to the thread that sent a given ALPC message.
- NtOpenKeyEx
Extended variant of NtOpenKey accepting OpenOptions — required for symlink-following and backup-semantics opens.