This proof of concept demonstrates that an attacker can still steal the NT AUTHORITY\SYSTEM token and impersonate the system account in the current thread context without enabling the SeDebugPrivilege.
Members of the BUILTIN\Administrators group possess elevated privileges that allow them to manipulate the security tokens of running processes, including those operating under the NT AUTHORITY\SYSTEM account, the most powerful identity in the Windows operating system.
The primary target process of this PoC is winlogon.exe. We'll inspect it with System Informer (or Process Hacker) and review the process token's DACL, focusing on permissions granted to BUILTIN\Administrators.
As shown in the image above, the BUILTIN\Administrators group holds both Duplicate and Query permissions on the process token. These permissions are essential for access and impersonating the token within the context of the current thread.
Reading this, you’re probably thinking, “Sure, but critical processes like winlogon.exe, lsass.exe, and others are protected by PPL.” That’s true, my friend. But here’s the best part: there are plenty of other processes running as SYSTEM that aren’t protected.
Let's look at another process that is typically not protected by PPL on modern Windows 11: smss.exe.
Let's go in more detailed about what steps are needed to perform token impersonation:
- First, open the target process using the WinAPI function
OpenProcess. This step is required to obtain a valid handle to the running process. Since the desired access is specified asPROCESS_QUERY_LIMITED_INFORMATION, theSeDebugPrivilegeis NOT required to steal the token. - Next comes the critical step: stealing the token using
OpenProcessToken. It's essential to request the access rightsTOKEN_DUPLICATE | TOKEN_QUERY. If theTOKEN_DUPLICATEright is missing, any attempt to impersonate the token will result in an error code 5: Access Denied. - Impersonate the current thread in the context of the
NT AUTHORITY\SYSTEMtoken using the WinAPI functionImpersonateLoggedOnUser.
One limitation of an impersonation token is that it cannot be used to spawn new processes. Its scope is restricted to the current thread only. However, executing C++ code within that thread under the context of NT AUTHORITY\SYSTEM remains extremely powerful.
To launch a new process as NT AUTHORITY\SYSTEM using CreateProcessAsUser or CreateProcessWithTokenW, the stolen token must be assigned as a primary token. This operation requires specific privileges: SeDebugPrivilege, SeAssignPrimaryTokenPrivilege, or SeIncreaseQuotaPrivilege. For more information, check Access Rights for Access-Token Objects – Microsoft Learn
As an alternative to C++, I developed the exploit in PowerShell using the NtObjectManager project, which leverages the same technique to open a command prompt as SYSTEM.
Thanks to those who share their research and knowledge, this PoC is based on Technique 1 from this blog:
Steal 'em all! Token impersonation
The code and techniques described herein must only be used in authorized audits and in controlled environments you own or are explicitly permitted to use. I am not responsible for any misuse, damage, loss, or legal consequences resulting from unauthorized use of this PoC, its tools, or its code. By using this code you agree to use it only for lawful and authorized purposes, and you accept full responsibility for any misuse, damage, or legal consequences that result from your use.