Logon Sessions & Access Tokens #

User sessions are controlled by the Local Security Authority (LSA). This creates a Logon Session for each user, and builds an Access Token for the session.

Logon Sessions #

Tools:

• https://docs.microsoft.com/en-us/sysinternals/downloads/logonsessions

Access Tokens #

Tools:

• https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/TokenViewer

References #

• https://www.elastic.co/blog/introduction-to-windows-tokens-for-security-practitioners
• https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/
• ATT&CK T1134 Access Token Manipulation