Home » Security Bloggers Network » MITRE ATT&CK vulnerability spotlight: Access token manipulation

MITRE ATT&CK vulnerability spotlight: Access token manipulation

Introduction

MITRE is a U.S. government federally-funded research and development center (FFRDC) which performs a large amount of research and assessment as a trusted third party for the government. One of their research areas is cybersecurity, and they have developed the MITRE ATT&CK matrix to help with research and education about cybersecurity threats.

The MITRE ATT&CK matrix breaks the process of a cyberattack into its different stages. For each stage, ATT&CK describes the various means by which the objectives of that stage can be accomplished by an attacker. The matrix is a useful tool for cybersecurity professionals because it can be used as a basis for a formalized threat assessment and detection process.

What is access token manipulation?

Access token manipulation is one of the techniques included in the MITRE ATT&CK matrix under privilege escalation. The intention of access token manipulation is to grant a malicious process the same permissions as a legitimate user and to pretend to be a process started by that user. This may increase the capabilities of the malicious process or reduce its probability of detection.

Access tokens are designed as a security feature on Windows. Their purpose is to describe the exact permissions that a particular user should have on a computer. This allows for a great deal of granularity of permissions on a system and the implementation of least privilege, since permissions can be individually granted or denied to a particular user.

Access tokens are generated once a user has authenticated to a Windows system. Once the user’s login credentials are generated, they are given an access credential that encodes their particular permissions on the system. When a user launches an application, a copy of their access token is given to that application as well. This ensures that processes or threads run by (Read more...)