You might not have known this, but there’s a considerable risk when running a multi-user environment in Windows 10. That is because any user with local administrative access can steal the identity of other logged in users or services. It is called Token Snatching, and it’s quite well known. Now, there are several ways to gain control and to find out who is doing what, but today, we’re going to talk a little about a small computer program known as TokenSnatcher.
What is TokenSnatcher
Token Snatcher is not a solution to resolve this problem. It will not protect your local network from anyone who might want to steal identities. However, it allows an admin user to understand how Token Snatching works. When you run Token Snatcher, it will help you take the identity of another user, and execute a command or use a service under his name.
1] Download & Run TokenSnatcher program
Download it, extract its contents and then run it. It will give you a warning message, but run it either way. It will then load the program which will reveal a list of accounts with local admin privileges on your computer.
On the top, notice where it says “Snatching token from.” The process steals the token which will help users steal the identity of another local admin user.
2] Switch identity and test
To use the credentials of any logged in administrator, follow the instructions on the main screen. Token Snatcher is smart enough to locate and list all administrators, so choose the one you want and move forward.
The current version offers you to select credentials from processes that are running as Administrator, i.e., with High or System Integrity Level. Do watch the video for clarity. Its more of analysis tool which can help you determine how much harm a local admin can do to the system using this technique.
3] Gain more information
Once you’ve run the command prompt in the security context of the local admin you’ve targeted using Token Snatcher, you’ll come across a bunch of information from the management server. Now, bear in mind that any process launched from the new command prompt will inherit the credentials of the local user.
The server admin can use this to launch active directories and computers if he or she chooses to do so. Additionally, the server admin can make modifications and do whatever the local user can do among other things.
What’s interesting here is the fact that Token Snatcher provides an event logger for the primary admin to see what had taken place beforehand.
Map out permissions
Overall, we should point out that Token Snatcher should not be used as the only tool in your arsenal to fight against Token Snatching. The most important thing is to ensure that you’re not exposing critical privileges via running processes. The official website suggests following these steps to get an overview of your exposure. You should map out three different areas of your infrastructure:
- Make an inventory of all active security group memberships for each domain account. You must include service accounts and include nested group memberships.
- Make an inventory of which accounts have local admin rights on every system. You must include both servers and PCs.
- Get an overview of who is logging on to which systems.
Download the tool right now via the official website.