Token Impersonation/Theft
View on attack.mitre.org →9 syscalls implement this technique
- NtOpenProcessToken
Opens the access token associated with a process and returns a handle to it.
- NtOpenProcessTokenEx
Opens the access token of a process and lets the caller specify handle attributes such as OBJ_INHERIT.
- NtAdjustPrivilegesToken
Enables or disables privileges in a specified access token.
- NtAdjustGroupsToken
Enables or disables groups (SIDs) in an access token, or resets group attributes to their default state.
- NtDuplicateToken
Creates a new access token that duplicates an existing token, optionally changing its type and impersonation level.
- NtImpersonateAnonymousToken
Assigns the well-known ANONYMOUS LOGON token to the specified thread.
- NtImpersonateThread
Causes the server thread to impersonate the security context of the client thread.
- NtAlpcImpersonateClientOfPort
ALPC server's primary impersonation primitive — assumes the security context of the client that sent a message.
- NtDuplicateObject
Duplicates a handle from a source process into a target process, optionally adjusting access or closing the source.