Network security has crossed leaps and bounds over the years in order to protect what users value the most: data! As organizations grow and the number of users increases, the vulnerability of the organization also increases, as various users have access to different resources.
There is only so much that can be done in terms of physical perimeters for resources; passwords can be hacked and accounts can be infiltrated. This is why the best way to secure your data is with identity-driven security. This approach can help verify and authenticate users before they are given access to resources; it also helps in managing and monitoring the access given to different users. One approach to identity-driven security is with token-based authentication.
Token-based authentication is a protocol that allows users to verify their identity. The verified user can then proceed to access resources, websites, and apps without needing to reenter their credentials (at least until the token expires).
There are three types of authentication tokens:
There are various steps in the token authentication process, including:
Let's take a look at what an access token is and how it can be manipulated by adversaries to access higher level resources.
Access tokens are a piece of code that contain user credentials and profile details such as the group to which the user belongs, their privileges, and more; these are used to validate the authenticity of the user's access. The purpose of this is to validate the identity of the user and, in doing so, identify the user's security context.
In a network, the security context defines the user's identity and their authentication information, including their SID, groups, and level of privileges. A user establishes their security context when they present their credentials for authentication. This process authenticates the user in any future running processes and authorizes access to privileged resources.
The access tokens are created when a user successfully authenticates into a system and usually expires once the user session ends or if the token expires. Access tokens come in two types—primary tokens and impersonation tokens.
Primary tokens contain the security context of the user account whereas impersonation tokens are used by the servers to impersonate the client process in security operations.
For instance, when a local user logs in to their system, the Local Security Authority creates an access token for that user, which is the primary token.
On the other hand, when a user wants to perform security operations on network resources, an impersonation token is created. The services built for carrying out these critical operations creates a client token and impersonates the client to perform the requested operation.
However, these tokens can also be manipulated by adversaries to elevate their privileges, access resources, and run processes that they would otherwise be unable to do.
Access token manipulation is a technique often used to escalate privileges or permissions of a user. This attack type is listed under Privilege Escalation in the MITRE ATT&CK threat modelling framework.
When an adversary manages to compromise a user account with few privileges, they next move laterally within the network to get hold of an account with high privileges such as a system, administrator, or service account.
During access token manipulation privilege escalation, adversaries may modify the access token to bypass access controls. Impersonating a system access token can be beneficial for attackers, as an administrator account may lack certain privileges they need.
There are four sub-techniques that fall under the category of access token manipulation. They are:
Adversaries can duplicate a stolen token and then impersonate the compromised user to access privileged resources.
Adversaries may use the stolen and duplicated token to create new processes that run under the security context of the impersonated user.
Adversaries can use this technique to spoof the Parent Process Identifier (PPID) to evade process monitoring defenses and escalate privileges.
Windows security identifiers (SIDs) are unique IDs that identifies a user, computer account, or group. Using this technique, adversaries may inject or harvest well-known SIDs in an access token's SID history in order to escalate privileges and access restricted resources.
Since the access token manipulation attack technique takes advantage of authentication protocol operations, it can be difficult to detect. However, you can detect access token manipulation if you monitor the right Windows functions. Here are some actions to look out for:
Please note that these commands and API calls can be used for legitimate functions as well. Monitoring the processes and token thread information and looking for inconsistencies can help detect access token manipulation. This includes monitoring logins that take place through the Command Line Interface along with the use of the runas command within a short time frame.
Consistent monitoring of network activity can be overwhelming if you're doing it manually; instead, you can automate network activity monitoring using an integrated log management solution like Log360.
You will receive regular updates on the latest news on cybersecurity.
© 2025 Zoho Corporation Pvt. Ltd. All rights reserved.