WHAT IS TOKEN?

A process can be defined as instance of program running in memory.

A thread is unit of execution of a process. a process can have any number of threads.

An access token describes the security context of a process or thread.

access token contains information about a user, user’s groups, user’s privileges, etc.

LOGON PROCESS

Winlogon.exe is responsible for providing interface for user to enter credentials.

lsass process loads authentication packages like MSV1_0, Kerberos etc from security dlls

when user enters credentials, winlogon.exe sends to lsass process by calling lsaregisterlogonprocess, lsalookupauthenticationpackage, lsalogonuser

lsass then pass on creds to authentication packages functions. these will check sam database or domain controller if credentials are correct.

if credentials are correct, lsass creates a logonsession and creates a token and run explorer.exe

USAGE OF ACCESS TOKENS

Access tokens are checked aganist the object the process/thread trying to access.

If user is trying to access a file, his token is being check aganist the file. if the ace of file allows the user to read the file then user is allowed access to the file.

tokens also contains some special privileges like seshutdownprivilege, sedebugprivilege etc.

these privileges allows user to perform certain actions without any restrictions.

Eg: if we have sedebugprivilege, we can open handle to any process regardless of our permissions. “Programmers, testers” might have this privilege in an organisation.

access tokens can be classified into PRIMARY TOKEN, IMPERSONATION TOKEN

If this looks interesting to you then why not try it?