_EPROCESS is a kernel memory structure that describes system processes (or in other words - each process running on a system has its corresponding _EPROCESS object somewhere in the kernel) as we know them as it contains details such as process image name, which desktop session it is running in, how many open handles to other kernel objects it has, what access token it has and much more. _TOKEN is a kernel memory structure that describes process's security context and contains information such as process token privileges, logon id, session id, token type (i.e primary vs. impersonation) and much more. _TOKEN structure:_EPROCESS kernel structure_EPROCESS structure contains a pointer to a _TOKEN memory structure that describes process's security context_TOKEN structure of a low privileged process - the one it wants to escalate from_TOKEN structure of a privileged process, running as NT\SYSTEMpowershell process with a high privileged token of the system process (always a PID 4) following the above described process, except I will do it manually using WinDBG.MEDIUM integrity process, running as WS02\spotless WS02 is my lab machine name spotless is a low privileged local user. SYSTEM integrity process, effectively running as NT\SYSTEM WS02$ is my lab computer account OFFENSE is the domain the machine is a member ofpowershell will assume the high privileged token from the process system once the _TOKEN kernel memory structure is manipulated._EPROCESS structures for given processes:powershell (this is the process for which we will replace the low privileged token with a high privileged token) as a medium integrity/non-elevated process (in my case running as a local non-admin user ws02\spotless) and get its process ID:powershell process with PID 2648 (0xa58):_EPROCESS location ffffdc8fbe1f1080:_EPROCESS location in the kernel, we can inspect its contents like so:_EPROCESS memory structure we are after is Token located at offset 0x358:0x358 suggests it's pointer to _EX_FAST_REF memory structure and we will come back to this shortly._EPROCESS.Token is pointing to, which is ffffc507`dab7799f in my case:ffffc507`dab7799f with !token ffffc507dab7799f command, we are told that this address does not point to a token object, which we may find a bit odd:_EX_FAST_REF comes into play. It was pointed out earlier that _EPROCESS.Token actually points to a _EX_FAST_REF structure rather than a _TOKEN structure._EPROCESS.Token which is ffffdc8f`be1f13d8 (_EPROCESS location plus the Token member offset (ffffdc8fbe1f1080+0x358)) with the _EX_FAST_REF structure and see what's inside:Object and Value are pointing to the same address, but the interesting piece is the RefCnt with 4 bits on (equals to 0xF, which looks like it is the last digit of both Object and Value members are pointing to - 0xffffc507`dab7799f). _EX_FAST_REF without data, based on the symbols, it's defined like so:Object or Value) of the value pointed to by members Object and Value (in my case 0xffffc507`dab7799f) is used to denote the reference count to this token, which means it's not part of the token address, which means we should be able to zero it out and get an actual _TOKEN structure address for our powershell process.Object and Value are 0xffffc507`dab7799f, we should be able to just swap the last f with 0 which would give us 0xffffc507`dab77990 and it should be our _TOKEN address.Token is pointing to 0xffffc507`dab77990 - note the last digit is 0 rather than f, which confirms that we can always zero out the last digit pointed to by _EX_FAST_REF to get the effective _TOKEN structure address:AND operation as shown below:!token command again with the last digit of _EPROCESS.Token->Value set to 0, we no longer see the error message suggesting there's no token at that address and we start seeing some actual token details like user group it belongs to, etc.:whoami /all and the !token (ffffc507dab7799f & 0xFFFFFFF0) match:_TOKEN - the token that our low privileged powershell process will assume.SYSTEM process - we're interested in it's _TOKEN location which is at ffffc507d8818040 as shown below:ffffdc8fbe1f1080+0x358) with that held by the SYSTEM process (ffffc507d8818040) by simply writing the SYSTEM process's token address to the the _EPROCESS.Token of our powershell process:ws02\spotless and nt authority\system after:_TOKENstructure is Privileges at offset 0x040, defined as _SEP_TOKEN_PRIVILEGES structure:_sep_token_privileges structure:_sep_token_privileges shows which privileges the token has and which of them are enabled/disabled - the info that we can also check from the userland with whoami /priv. _sep_token_privileges Present and Enabled values do not match and this is what results in Enabled/Disabled privileges that we see in the whoami /priv State column:Present and Enabled values match like so:Present and Enabled values, we can now see how all the privileges in the State column of the whoami /priv output are Enabled:Present field that would give us more/elevated privileges? We can get a good hint by inspecting the Present value of the SYSTEM process (PID 4) token:Present value is 0x0000001f`f2ffffbc - this represents all the privileges the SYSTEM process token has. Present and Enabled fields. If successful, we should have all the SYSTEM privileges enabled for our low privileged powershell process running in the context of the user ws02\spotless:_sep_token_privileges structure:whoami /priv now shows that we have all the SYSTEM privileges and all of them are enabled: