ntoskrnl.exeT1134T1134.001T1106

NtImpersonateAnonymousToken

Assigns the well-known ANONYMOUS LOGON token to the specified thread.

Prototype

NTSTATUS NtImpersonateAnonymousToken(
  HANDLE ThreadHandle
);

Arguments

Name	Type	Dir	Description
ThreadHandle	HANDLE	in	Handle to the thread that will impersonate the anonymous logon SID. Must have THREAD_IMPERSONATE access.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xED	win10-1507
Win10 1607	0xF0	win10-1607
Win10 1703	0xF3	win10-1703
Win10 1709	0xF4	win10-1709
Win10 1803	0xF5	win10-1803
Win10 1809	0xF6	win10-1809
Win10 1903	0xF7	win10-1903
Win10 1909	0xF7	win10-1909
Win10 2004	0xFC	win10-2004
Win10 20H2	0xFC	win10-20h2
Win10 21H1	0xFC	win10-21h1
Win10 21H2	0xFD	win10-21h2
Win10 22H2	0xFD	win10-22h2
Win11 21H2	0x102	win11-21h2
Win11 22H2	0x103	win11-22h2
Win11 23H2	0x103	win11-23h2
Win11 24H2	0x105	win11-24h2
Server 2016	0xF0	winserver-2016
Server 2019	0xF6	winserver-2019
Server 2022	0x101	winserver-2022
Server 2025	0x105	winserver-2025

Kernel module

ntoskrnl.exe → NtImpersonateAnonymousToken

Related APIs

ImpersonateAnonymousTokenRevertToSelfNtImpersonateThreadNtSetInformationThreadNtDuplicateToken

Syscall stub

4C 8B D1            mov r10, rcx
B8 05 01 00 00      mov eax, 0x105
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

NtImpersonateAnonymousToken is the kernel primitive behind `advapi32!ImpersonateAnonymousToken`. It is one of only two ways a thread can adopt an identity *other than its process's primary token* without first calling NtDuplicateToken (the other being NtImpersonateThread). The SSN drifts every couple of builds — `0xED` on Windows 10 1507, `0x105` on Windows 11 24H2 — because the system service table grew with every feature release. Note that since Windows XP SP2 / Server 2003, the `Everyone` SID is **not** included in the anonymous token by default (registry value `EveryoneIncludesAnonymous` controls this); the impersonation therefore yields a genuinely deprivileged context.

Common malware usage

Used defensively far more than offensively — implants invoke it to *drop* privilege temporarily, e.g. to test access checks from an unauthenticated perspective before deciding whether to launch a privilege-escalation primitive. Offensively, it appears in a handful of niche EoP exploits that abuse named-pipe impersonation: a service writes to a named pipe under impersonation, the malicious client downgrades to anonymous mid-conversation to force the service into a confused-deputy state. Some Potato-family POCs (notably early SweetPotato and HotPotato builds) used anonymous impersonation as a stepping stone before negotiating NTLM relay back to SYSTEM. Rarely seen in commodity malware.

SweetPotato (tooling)HotPotato (tooling)RottenPotato (tooling)Custom EoP PoCs

Detection opportunities

Calls to NtImpersonateAnonymousToken from anything other than RPC/service code or sandboxed processes (Chromium renderers, AppContainer) are highly anomalous and worth a high-severity alert. Windows Security Event **4624 with Logon Type 3** and `Account Name: ANONYMOUS LOGON` records the resulting impersonation. The ETW provider `Microsoft-Windows-Security-Auditing` covers it via the SubcategoryID Account Logon / Logon Events. Because the SID is well-known (S-1-5-7), simple SACL on sensitive objects against ANONYMOUS LOGON yields high-fidelity events. EDRs commonly hook the ntdll thunk, but very few engines treat this call as suspicious by default — a useful custom detection.

Direct syscall examples

asmx64 direct stub (Win11 24H2)

; NOTE: SSN drifts every build — resolve dynamically in production.
NtImpersonateAnonymousToken PROC
    mov  r10, rcx          ; ThreadHandle
    mov  eax, 105h         ; SSN on Win11 24H2
    syscall
    ret
NtImpersonateAnonymousToken ENDP

cDrop to anonymous for an access-check test

// Adopt ANONYMOUS LOGON on the current thread to verify that a target
// resource is genuinely unauthenticated-reachable (e.g. SMB null session).
NTSTATUS s = NtImpersonateAnonymousToken(NtCurrentThread());
if (NT_SUCCESS(s)) {
    // The thread is now ANONYMOUS LOGON (S-1-5-7).
    // Any subsequent NtOpenFile / NtOpenKey runs as that identity.
    DoAccessProbe();
    // Revert before doing anything else.
    NtSetInformationThread(NtCurrentThread(),
                           ThreadImpersonationToken,
                           &(HANDLE){NULL}, sizeof(HANDLE));
}

rustHalo's Gate-style dynamic SSN resolve for unstable syscall

// SSN of NtImpersonateAnonymousToken changes every build — resolve at runtime.
// Halo's Gate falls back to neighbour scanning when ntdll is hooked.
use std::arch::asm;
use std::ffi::CString;
use windows_sys::Win32::System::LibraryLoader::{GetModuleHandleA, GetProcAddress};

unsafe fn ssn_halos_gate(name: &str) -> u32 {
    let ntdll = GetModuleHandleA(b"ntdll.dll\0".as_ptr());
    let c = CString::new(name).unwrap();
    let p = GetProcAddress(ntdll, c.as_ptr() as *const u8) as *const u8;
    if *p == 0x4C && *p.add(3) == 0xB8 {
        // Clean stub: mov r10,rcx ; mov eax,SSN ; ...
        return (*p.add(4) as u32) | ((*p.add(5) as u32) << 8);
    }
    // Hooked: walk neighbours +/- N functions, SSN difference == stub distance/32.
    for n in 1..512u32 {
        for dir in [1i32, -1] {
            let q = p.offset((n as isize) * 32 * dir as isize);
            if *q == 0x4C && *q.add(3) == 0xB8 {
                let neighbour_ssn = (*q.add(4) as u32) | ((*q.add(5) as u32) << 8);
                return ((neighbour_ssn as i32) - (n as i32 * dir)) as u32;
            }
        }
    }
    0
}

#[unsafe(naked)]
unsafe extern "system" fn syscall_thunk(_thread: isize, _ssn: u32) -> i32 {
    asm!("mov r10, rcx", "mov eax, edx", "syscall", "ret", options(noreturn));
}

MITRE ATT&CK mappings

Last verified: 2026-05-20