Windows Access Tokens:
Access tokens are at the core of how Windows manages identity and permissions. As a pentester, understanding how these tokens work — and more importantly, how to abuse them — gives you powerful tools for privilege escalation, lateral movement, and persistence. This guide breaks down all the important Windows access tokens, how they work, and how to leverage them offensively.
What Is an Access Token?
An access token is a data structure that contains the security context of a process or thread. It includes:
- The user’s SID (Security Identifier)
- Group SIDs
- Privileges (e.g.,
SeDebugPrivilege) - Integrity level (e.g., Medium, High, System)
- Token type (Primary or Impersonation)
When a user logs in, Windows creates a primary token. This token is inherited by every process the user launches.
Primary vs Impersonation Tokens
1. Primary Token
- Assigned to a process
- Represents the logged-in user
- Required for spawning a new process
- Used in:
CreateProcessWithTokenW,CreateProcessAsUser
2. Impersonation Token
- Assigned to a thread
- Allows impersonation of another user (usually temporarily)
- Used in:
ImpersonateLoggedOnUser,SetThreadToken
Impersonation Token Levels
| Level | Description | Pentester Use Case |
|---|---|---|
| Anonymous | Cannot identify or impersonate a user | Useless |
| Identify | Can identify user but not act as them | For recon only |
| Impersonate | Can impersonate a user locally | Used in SMB token impersonation, incognito |
| Delegate | Can impersonate a user remotely | Rare and powerful, for remote abuse |
Use whoami /priv and whoami /groups to inspect token capabilities.
Other Critical Token Types
3. Elevated Token
- Has administrator privileges
- Split by UAC into standard and elevated
- Used in: UAC bypass (
fodhelper,eventvwr, etc.)
4. Filtered Token
- Stripped of sensitive privileges by UAC
- Used when a high-priv user runs a low-priv app
- Can be elevated via UAC bypass
5. Linked Token
- Contains a reference to the filtered and elevated token pair
- Present in UAC-enabled accounts
- Detect with:
whoami /groups | findstr "High Mandatory Level"
6. Restricted Token
- Explicitly stripped of groups and privileges
- Used for sandboxing (e.g., Office Protected View)
- Less common in pentesting but relevant for sandbox escape scenarios
7. Service Token
- Used by Windows Services (
LocalSystem,NetworkService,LocalService) - Common target for service misconfiguration and binary replacement
8. TrustedInstaller Token
- Used by Windows Update services
- More powerful than SYSTEM in some contexts
- Advanced persistence and resource modification vector
9. System Token (NT AUTHORITY\SYSTEM)
- The god-mode token
- Target for:
- Potato family exploits (
JuicyPotato,PrintSpoofer) - Token impersonation
- SeImpersonate abuse
- Potato family exploits (
10. Network Logon Token
- Created during remote authentication
- Cannot access local resources
- Important in lateral movement: Not all tokens allow local privilege abuse
Tools to Work with Tokens
Token Inspection
whoami /allwhoami /privwhoami /groupsProcess Explorertoken::listin Mimikatz
Token Abuse
- Mimikatz:
privilege::debug,token::elevate,token::impersonate - Incognito (Metasploit):
list_tokens,impersonate_token - Tokenvator: UAC bypass and token manipulation
- Rubeus: For Kerberos token manipulation (TGT, S4U)
- CreateProcessWithTokenW: Spawn process with token
- ImpersonateLoggedOnUser API: Local token abuse
Common Token Abuse Scenarios
UAC Bypass with Elevated Tokens
- Check for split token with
whoami /groups - Use LOLBAS executables like:
fodhelper.exeeventvwr.exesdclt.exe
Stealing Tokens from Other Processes
- Use
SeDebugPrivilegeto open process tokens - Tools:
mimikatz:token::elevateincognito- Manual via Windows API
Token Impersonation
- Steal SYSTEM token from a service
- Impersonate domain admin during SMB relay
PrintSpoofer.exe -i -c cmd
Token Duplication for Persistence
- Capture a high-priv token
- Duplicate and store it (e.g., with
mimikatzorRubeus) - Reuse later for persistence
Token Reference Table
| Token Type | Target Value | Key Tools / Tactics |
|---|---|---|
| Primary | Run processes | CreateProcessWithTokenW |
| Impersonation | Act as another user | ImpersonateLoggedOnUser, incognito |
| Elevated | UAC bypass | fodhelper.exe, eventvwr.exe |
| Filtered | Detect and elevate | Detect with whoami, elevate via bypass |
| Linked | Bypass opportunity | Check for token pair |
| Restricted | Sandbox context | Useful in escapes |
| Service | Local escalation | Service misconfigs, DLL hijack |
| TrustedInstaller | Modify system resources | Advanced persistence |
| SYSTEM | Full local control | PrintSpoofer, Potato exploits |
| Network Logon | Limited lateral movement | Recon only |
Final Tips for Pentesters
- Always check your current token integrity:
whoami /groups - Target processes running as SYSTEM or admin
- Enumerate tokens on the box using
mimikatzorincognito - Look for opportunities to impersonate or elevate
- Combine token abuse with lateral movement (e.g., pass-the-token, token theft + WMI)
Access tokens are the keys to the kingdom.
In a Windows environment, mastering them turns you from a shell jockey into a domain-owning wizard. Keep this guide close, revisit it often, and abuse with ethics.