Detecting Access Token Manipulation

Explore the intricacies of Windows access token manipulation attacks in this 39-minute Black Hat conference talk. Delve into the complex world of Windows security internals, including logon sessions, access tokens, UAC, and network authentication protocols like Kerberos and NTLM. Gain insights into how attackers exploit legitimate Windows functionality for lateral movement and domain compromise. Learn effective detection strategies to identify these attacks at scale across enterprises. Discover the inner workings of logon sessions, access tokens, network authentication, and impersonation techniques. Examine various token manipulation methods, including NETONLY, CreateProcessWithLogon, Pass-The-Ticket, and Overpass-the-hash. Understand the Frida Basic Shocking template and its applications. Equip yourself with the knowledge to detect and mitigate access token manipulation attacks, bridging the gap between offensive tactics and defensive practices in Windows environments.

Intro
Objectives
Agenda
Logon Sessions and Access Tokens
Network Authentication
Impersonation
Initial Compromise
Token Manipulation: The Art of the possible
NETONLY
CreateProcessWithLogonW
Pass-The-Ticket
Overpass-the-hash
Frida Basic Shocking template
Detecting Access Token Manipulation
Conclusion