What are tokens?¶
Tokens are temporary keys that allow access to a system or network without re-entering credentials each time.
Think of them as “cookies for computers.”
| Privilege | Impact | Execution |
|---|---|---|
| SeAssignPrimaryToken | Admin | + Use tools like potato.exe, RottenPotato, or JuicyPotato to impersonate tokens and escalate to NT SYSTEM. + Leverage token manipulation with tools like PrintSpoofer or RogueWinRM. |
| SeAudit | Threat | + Write events to the Security event log using the AuthzReportSecurityEvent API to manipulate or overwrite logs. + Generate misleading events to hinder forensic analysis. |
| SeBackup | Admin | + Backup registry hives such as HKLM\SAM and HKLM\SYSTEM to extract local account hashes. + Reuse hashes for Pass-the-Hash attacks. + Read sensitive files while bypassing normal access controls. |
| SeCreateToken | Admin | + Create arbitrary tokens with elevated privileges (e.g., local admin) using system APIs. + Use token crafting to escalate privileges. |
| SeDebug | Admin | + Duplicate tokens of sensitive processes (e.g., lsass.exe) using debugging privileges. + Interact with lsass.exe to extract credentials. |
| SeImpersonate | Admin | + Use Potato exploits, RogueWinRM, or PrintSpoofer to create a process under another user’s context by impersonating their token. |
| SeLoadDriver | Admin | + Load a vulnerable kernel driver to escalate privileges. + Unload security-related drivers to weaken protections. |
| SeRestore | Admin | + Abuse this privilege to manipulate system files. + Replace binaries such as utilman.exe with cmd.exe to gain SYSTEM-level shells. + Replace service executables to maintain persistence. |
| SeSecurity | Threat | + Clear or shrink Security event logs to erase evidence. + Read logs for insights into system activity. + Flood with events to purge older entries. + Modify object SACLs to change auditing. |
| SeShutdown | Availability | + Shut down the system to disrupt availability. + Trigger BSOD and generate crash dumps for analysis. |
| SeTakeOwnership | Admin | + Take ownership of sensitive files or directories. + Modify ACLs to gain full access. + Replace system binaries (e.g., swap cmd.exe for utilman.exe). |
| SeTcb | Admin | + Manipulate tokens to include admin rights, enabling arbitrary token creation. + Use PoC code or tools from exploit repos to craft tokens. |
| SeTrustedCredManAccess | Threat | + Dump and access credentials stored in Windows Credential Manager. |
| SeSystemEnvironment | Unknown | + Manipulate UEFI variables via system calls to alter boot behavior. + Modify driver entries or other environment values. |