🖊️ Author: Nairuz Abulhul
🌐 Blog: R3dbuck3t
<aside> 💡 Access tokens are usually generated when a user authenticates to the system by providing their username and password, which they get checked by the Local Security Authority Subsystem Service (LSASS).
If the user account is local, the LSASS will verify the credentials in its Security Account Manager (SAM). However, if the account is a domain account, the verification request will be sent to the domain controller to verify the user’s identity.
After the verification step is complete, the user is issued an access token that identifies their identity and privileges associated with their account.
The access token helps the system make security decisions determining the access level needed for the user to perform system-related operations.
</aside>
<aside> 💡 Delegation tokens are created when users interactively login into a system using their credentials. The interactive logins can be physical or remote as a Remote Desktop with RDP or VNC.
Delegation tokens are used for domain escalation because they contain authentication credentials; an attacker can steal high-privileged tokens and use them to impersonate a domain admin, for example, without knowing their actual credentials.
</aside>
<aside> 💡 Impersonation tokens are created when users non-interactively login into a system, like accessing a shared drive on the network. Users usually don’t get prompted for credentials when accessing the share; instead, they use their tokens for access.
Impersonation tokens are usually generated after the delegation tokens. Non-interactive authentication uses established credentials from an interactive authentication.
</aside>