Logon Sessions & Access Tokens # User sessions are controlled by the Local Security Authority (LSA). This creates a Logon Session for each user, and builds an Access Token for the session. Logon Sessions # Tools: https://docs.microsoft.com/en-us/sysinternals/downloads/logonsessions Access Tokens # Tools: https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/TokenViewer References # https://www.elastic.co/blog/introduction-to-windows-tokens-for-security-practitioners https://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-credentials/ ATT&CK T1134 Access Token Manipulation