Understand

Did you know that any local system administrator can snatch the identity from any user logged on to a Windows system - even from a Domain Admin?

Learn more

Analyze

Do you know if your systems are exposed to Token Snatching? Review who has local administrator rights and what processes they have access to.

Learn more

Protect

Do you know how to effectively protect your systems from Token Snatching? Ensure that you're not exposing critical privileges via running processes.

Learn more

15 years ago...

...I wrote my first token snatching application, PowerPrompt, as a leisure time experiment - the application would simply pop up a SYSTEM command console by "borrowing" a token from a SYSTEM process. Shortly thereafter I quit IBM and started working as an independent contractor providing Microsoft Infrastructure Services to some of the largest companies in Denmark, and forgot all about it.

Years went by and both Windows and myself have aged well 🙂 After completing my last +10 year assignment with a major international client I finally found the time to try and take token snatching to a new level.

The result seen in TokenSnatcher version 1.0, available for free in the download section, is A LITTLE BIT SHOCKING! It makes it very obvious that a lot of scenarios seen in major companies makes a perfect setup for privilege escalation, data theft and disruption. There is VERY LITTLE AWARENESS about this among IT admins!

The techniques used by TokenSnatcher are purely based on Windows API calls. Although used creatively, there are no hacks like buffer overruns or similar. This also means there's no patch coming up. It's simply a side effect of how the Windows operating system is designed.

My advice to you is to UNDERSTAND the threat, ANALYZE your exposure to the threat and PROTECT your company. If followed through, not only will you have better protection from inside attacks but you will also make it more difficult for an outside attacker to reach a critical level of privileges.

Morten Skrubbeltrang
Independent Infrastructure Consultant

Skrubbeltrang.com

Morten_Skrubbeltrang

Watch the exploit in real life

Blog

Various ramblings related to Windows privilege escalation

Letting the Cat out of the Bag

Isn’t it dangerous to create an application like TokenSnatcher? It could potentially be used to perform illegal privilege escalation on a corporate network? The fact is, that the “bad hombres” out there already know the Read more…