Common ways of stealing data: Access token theft

privacy-policy-934426_960_720Nowadays, 41 records are lost every second in data breaches usually caused by external attackers (according to Breachlevelindex), and the trend is climbing. Companies need to invest more in security training and solutions to reduce the risk of successful cyber attacks.

This article explores a way in which hackers steal data once they managed to compromise a company computer or laptop. We will continue to study other ways to develop a cyber attack further, once an asset is compromised, in the following blog posts. The premise of this article is the typical scenario where an external attacker manages to execute code as local system on a domain machine, either by gaining access to privileged credentials through social engineering or by exploiting vulnerabilities allowing code execution. The aim of the attacker is to move from the unimportant compromised asset to more important domain machines, to steal information.

Gaining extended access by taking access tokens from a compromised domain machine

The premises

Access tokens contain the security context of a logon session, holding information about the user identification, group membership, and privileges. When a user logs on to a machine (irrespective of the logon type), the system creates an access token for that user. There are two kinds of access tokens: primary (representing the default security context of a process) and impersonation (enabling an application to act on behalf of a different security context, than the default one).

The impersonation token is of particular interest because it represents a way to jump from one compromised security context (with less privilege) to another, more powerful security context. It allows various levels of impersonation, depending on the type of session being used. The levels of interest are the “impersonate” level, allowing impersonation on the local computer (interactive sessions – desktop, remote desktop) and the “delegate” level allowing impersonation on remote machines (network sessions).

These access tokens are persistent on a computer for as long as the session exists, but also after, until the computer reboots. This situation happens to facilitate access to resources, which are being protected by authentication and authorization mechanisms, without the need to re-enter credentials on every access attempt. The caching of access tokens is a sensitive feature which can be exploited by attackers to gain further access and move around the network.

The means

“Incognito”, initially a standalone tool, now part of the “Meterpeter” Toolkit is a tool that allows listing, retrieving and usage of existing access tokens on a computer. Running the tool does not require particularly elevated local privileges, but the security context in which it operates implies the level of access it has when listing and locating access tokens. The critical security context, having access to all existing access tokens on a machine, is the local system account. Hence, attackers put extra effort into compromising a computer in such a way that would allow them to execute code as the local system. Once this happens, the tool can list and use any valid access token existing on a machine, giving the attacker the possibility to jump from local privileges to domain rights and access more critical machines in the domain, setting the playground for data exfiltration.

File servers and servers sharing resources are the primary targets of such attacks because they hold a significant number of valid access tokens, as they reboot often and are extensively used by regular users.

Defense measures

Along with the security measures which should reduce the risk that an attacker gains privileged access to a machine in the domain, there is one important step which can be implemented, to render the delegate access tokens (the ones allowing impersonated access to remote resources) unavailable to attackers.

When configuring privileged user accounts, IT admins can enable the setting “Account is sensitive and cannot be used for delegation” in the “user account property page” -> “account” tab -> “account options”. This removes any possibility that rogue processes impersonating this user account can access anything beyond the local machine scope.

However, the impersonate access token remains available to attackers in spite of this setting being enabled. The value of this token is significant because it allows access to other valuable resources tied to local user accounts and the local machine (otherwise inaccessible, from the initially compromised local system account, directly). EFS encrypted files, browser cache which may contain valid authentication cookies to sensitive web applications (such as SharePoint), mapped network drives, and so on,  allow attackers to explore further attack development venues.

Event logs to watch for

Starting with Windows 2008 R2, event “4624: An account was successfully logged on” in the Windows Security Log can be used to track account impersonation activity. However, it ‘s hard to ascertain if such an event is part of an attack or part of regular activity. The event is worth investigating if the account to which the impersonation is being made, particularly delegate impersonation, has high privileges on the domain.

How we can help

Our recommendation is, especially in lack of complex IDS solutions, to monitor authorized access to data to identify suspicious patterns, appearing when attackers (using compromised accounts) are looking for valuable information:

–    access outside work hours;

–    access to rarely used network resources;

–    increased file activity, many copy operations;

Taking such measures gives you a better chance of identifying an attacker who uses an authorized account to steal data. Also, since this scenario gives attackers a list of tokens to try out, it is very likely that these are verified, so that their value can be assessed. Therefore, watching for impersonated access to files is also important, particularly if there is a significant number of such operations, with the same original security context, but with various other impersonated user accounts.

TEMASOFT FileMonitor, our file monitoring software, can help you monitor impersonated and authorized access to files in ways that permit identification of suspicious activity, allowing alerting, reactions and further investigation in such situations.

TEMASOFT offers this functionality for FREE for up to two workstation PCs, for personal use.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

Read more articles in the series: “Common ways to steal data: Clear-text password dumps