Windows Security Primitives — SIDs, Tokens, ACLs

What Windows Security Primitives Are and Why They Matter

Windows enforces every security decision — “can this process open that file?” — through a consistent set of primitives. These primitives are the foundation for authentication, authorization, and auditing across the OS.

A SID (Security Identifier) uniquely identifies every security principal — user, group, computer, domain, or service.
An access token represents a user’s identity and privileges on a specific system. Every process and thread has one.
Integrity levels (Mandatory Integrity Control) classify trust levels — processes at a lower integrity level cannot write to higher-integrity objects.
ACLs (Access Control Lists) and SACLs (System Access Control Lists) define who can do what to each object and which access attempts get audited.

MITRE ATT&CK maps privilege escalation techniques to T1134 (Access Token Manipulation). Understanding token manipulation is essential for detecting and triaging privilege escalation.

SIDs — Security Identifiers

Every security principal in Windows has a SID. It is the internal name that Windows uses — never the username.

SID Structure

S-R-I-S
│ │ │ └─ Subauthority (RID)
│ │ └─── Identifier Authority
│ └───── Revision
└─────── SID prefix

Example: S-1-5-21-3623811015-3361044348-30300820-500

S — SID prefix
1 — Revision level
5 — Identifier Authority (NT Authority)
21-3623811015-3361044348-30300820 — Domain-specific identifier
500 — Relative ID (RID) — Administrator account

Well-Known SIDs

SID	Name	Description
`S-1-0-0`	NULL SID	No principal — anonymous access
`S-1-1-0`	Everyone	All users and anonymous — do not rely on this for security
`S-1-2-0`	LOCAL	Users logged on locally
`S-1-3-0`	CREATOR OWNER	Object creator — inherits ownership
`S-1-5-11`	Authenticated Users	All authenticated users and computers (excludes anonymous)
`S-1-5-19`	NT Authority\Local Service	Local service account — minimal local privileges
`S-1-5-20`	NT Authority\Network Service	Network service account — minimal local, network access
`S-1-5-18`	SYSTEM	Local system — highest privilege on the OS
`S-1-5-21-*-500`	Built-in Administrator	Local admin account — RID 500
`S-1-5-21-*-512`	Domain Admins	Domain Admins group — member of every domain controller’s local Administrators group
`S-1-5-21-*-519`	Enterprise Admins	Enterprise Admins — highest AD privilege
`S-1-5-32-544`	BUILTIN\Administrators	Local Administrators group
`S-1-5-32-545`	BUILTIN\Users	Local Users group
`S-1-5-32-546`	BUILTIN\Guests	Guest account group
`S-1-16-0`	Untrusted	Integrity level — Untrusted
`S-1-16-4096`	Low	Integrity level — Low (Internet Explorer, Edge in AppContainer)
`S-1-16-8192`	Medium	Integrity level — Medium (standard user, default)
`S-1-16-8448`	Medium Plus	Integrity level — Medium Plus (UIPI bypass possible)
`S-1-16-12288`	High	Integrity level — High (administrator user, elevated)
`S-1-16-16384`	System	Integrity level — System (SYSTEM account)
`S-1-16-20480`	Protected Process	Integrity level — Protected Process (anti-malware, critical system)

How to Find SIDs

# Current user SID
whoami /user

# All SIDs for current user and groups
whoami /all

# Well-known SIDs
whoami /groups

# Domain user SID from AD (find RID 500 = admin, 512 = Domain Admins, etc.)
net user username /domain

Forensic value: SIDs appear in logs, registry keys, and file system permissions. Recognizing well-known SIDs lets you identify privilege levels from log output alone.

Access Tokens

An access token is an object that describes a user’s security context on a system. Every process and thread has a primary token that determines what the process can do.

Token Contents

Field	What It Contains	Why It Matters for Detection
User SID	The user the process is running as	Who executed this action
Group SIDs	All groups the user belongs to	Domain Admins, local Administrators, etc.
Privileges	Enabled and disabled privileges	`SeDebugPrivilege`, `SeTakeOwnershipPrivilege`, `SeBackupPrivilege`
Integrity level	Mandatory Integrity Control level	Medium, High, System, Protected Process
Session ID	Terminal Services session	Local vs. RDP session
Authentication ID	Logon session identifier	Links token to logon event (Event 4624)
Token type	Primary or Impersonation	Impersonation token indicates delegation or lateral movement

Token Types

Type	Description	Detection Relevance
Primary	The process’s own identity	Normal operation
Impersonation	A thread acting as a different user	Lateral movement, token theft — key indicator
Delegation	Impersonation that works across network	Pass-the-hash, pass-the-ticket

Detection — Token Manipulation

SPL query — detect SeDebugPrivilege usage (Event 4672):

index=windows EventCode=4672
| search PrivilegeList IN ("*SeDebugPrivilege*", "*SeTakeOwnershipPrivilege*", "*SeBackupPrivilege*")
| stats count by Account_Name, ComputerName, PrivilegeList
| sort - count

Why it matters: SeDebugPrivilege allows opening any process (including LSASS) for memory read and write — a prerequisite for credential dumping.

Integrity Levels (Mandatory Integrity Control)

Windows Vista and later enforce Mandatory Integrity Control (MIC). Every process and every securable object has an integrity level. A process cannot write to an object with a higher integrity level — even if the DACL permits it.

Integrity Level Hierarchy

Protected Process (S-1-16-20480)
      ↑
  System (S-1-16-16384)
      ↑
   High (S-1-16-12288) — Administrator: elevated
      ↑
Medium Plus (S-1-16-8448)
      ↑
  Medium (S-1-16-8192) — Standard user: running normally
      ↑
    Low (S-1-16-4096) — Internet Explorer in Protected Mode
      ↑
Untrusted (S-1-16-0)

Real-World Integrity Level Implications

Integrity Level	Who Runs Here	Detection Relevance
Low	Internet Explorer Protected Mode, AppContainer (Edge, Windows Store apps)	Compromise from Low means limited blast radius — an important concept in understanding the kill chain — cannot write to Medium+
Medium	Standard user, non-elevated admin	Most malware runs here — but cannot write to High+ objects
High	Administrator (elevated), services	Full local file system and registry write access
System	SYSTEM account, kernel-mode drivers	Highest user-mode privilege — can do anything on the local system
Protected Process	Anti-malware (Early Launch Anti-Malware), critical system processes	Cannot be tampered with even by SYSTEM — requires kernel driver

Security boundary: The boundary between Medium and High is the most important security boundary on Windows. UAC (User Account Control) enforces this — an admin on Medium cannot write to High objects without elevation.

UIPI (User Interface Privilege Isolation)

A process at a lower integrity level cannot send messages (mouse clicks, keyboard input) to a higher-integrity window. This is why an admin running non-elevated cannot “click OK” on a UAC prompt programmatically — it’s a UI-based security boundary.

ACLs, DACLs, and SACLs

Every securable object (file, registry key, process, service, printer) has a security descriptor that contains:

Owner SID — who owns the object
Group SID — primary group
DACL (Discretionary Access Control List) — who can do what
SACL (System Access Control List) — which access attempts generate audit logs

DACL — Who Can Access

A DACL contains Access Control Entries (ACEs). Each ACE grants or denies a specific access right to a specific SID.

ACE types:

Type	Effect	Priority
Access Denied	Explicitly denies access	Highest — evaluated first
Access Allowed	Explicitly grants access	Lower than Deny
Inherited Deny/Allow	Propagated from parent object	Lowest — evaluated last

Common file access rights:

Right	Value	What It Means
Read	`0x1`	Read file contents
Write	`0x2`	Write to file
Execute	`0x20`	Execute file
Delete	`0x10000`	Delete the object
Full Control	`0x1F01FF`	All rights + change permissions

SACL — Audit Configuration

A SACL defines which access attempts are logged in the Security Event Log. This is what powers Event IDs 4663 (access to an object) and 4656 (handle to an object requested).

SACL example — Audit successful write attempts to C:\Secrets\:

- Type: Success
- Principal: Everyone
- Access: Write
- Object: C:\Secrets\*

SPL query — detect object access audit events for sensitive files:

index=windows EventCode=4663
| search ObjectName IN ("*passwords*", "*secrets*", "*credentials*", "*sam*", "*system*")
| stats count by Account_Name, ObjectName, AccessMask, ProcessName
| sort - count

Reading ACLs

# View file ACL
icacls C:\Path\File.txt

# View registry key ACL
icacls HKLM\SYSTEM\CurrentControlSet\Services\* /t

# View process ACL — who can open this process?
icacls \\.\pipe\*

# View all accessible services
sc sdshow ServiceName

ACL output format:

C:\Secrets\data.txt
  BUILTIN\Administrators:(F)       # Full Control
  NT AUTHORITY\SYSTEM:(F)          # Full Control
  BUILTIN\Users:(R)                # Read only
  CONTOSO\Bob:(W)                  # Write allowed

Privileges — What a Token Can Do

Unlike permissions (which apply to specific objects), privileges apply system-wide. A privilege is the right to perform a specific security-relevant operation.

High-Value Privileges for Detection

Privilege	Name	Abuse Use
SeDebugPrivilege	Debug programs	Open any process — LSASS memory access for credential dumping
SeTakeOwnershipPrivilege	Take ownership of files/objects	Override DACLs — take ownership of protected files
SeBackupPrivilege	Backup files and directories	Read any file regardless of ACL — backup operators can read all data
SeRestorePrivilege	Restore files and directories	Write any file — can replace system files or DLLs
SeTcbPrivilege	Act as part of the operating system	Act as SYSTEM — highest privilege assignment
SeImpersonatePrivilege	Impersonate a client after authentication	Token theft and impersonation — potato-style privilege escalation
SeCreateTokenPrivilege	Create a token object	Direct token creation — bypass all access checks
SeLoadDriverPrivilege	Load and unload device drivers	Kernel-mode driver install — disable security products

How Privileges Are Used in Attacks

Attack	Privilege Required	Detection
Mimikatz LSASS dump	`SeDebugPrivilege` (admin or SYSTEM)	4672 + 4688 (`mimikatz.exe`) + Sysmon 10 (process handle to LSASS)
Potato-style escalation	`SeImpersonatePrivilege` (usually SERVICE accounts)	4672 + unusual process chain (services → command shell)
Backup operator abuse	`SeBackupPrivilege` + `SeRestorePrivilege`	4672 + access to `SAM`, `SYSTEM`, `SECURITY` registry hives
Load driver to disable EDR	`SeLoadDriverPrivilege`	Service installation (7045) + known malicious driver hash
Token theft	`SeDebugPrivilege` or `SeImpersonatePrivilege`	Sysmon 8 (CreateRemoteThread) + Sysmon 10 (process handle)

Putting It Together — A Forensic Walkthrough

When an analyst sees a process running as SYSTEM with SeDebugPrivilege, it can dump LSASS. Here is how the primitives chain together:

Who is running? → Check the process token’s User SID → SYSTEM (S-1-5-18) or Administrator (S-1-5-21-*-500)
What can they do? → Check token privileges → SeDebugPrivilege present and enabled
What trust level? → Check integrity level → High (S-1-16-12288) or System (S-1-16-16384)
Can they access the target? → Check target process DACL → Can the process SID open LSASS?
Are we auditing it? → Check SACL on LSASS process → Should generate Event 4663 or Sysmon Event 10

This chain of indicators — IoCs, IoAs, and TTPs explains why:

A standard user (Medium integrity) cannot dump LSASS — no SeDebugPrivilege and cannot open LSASS handle
An elevated admin (High integrity) can — but logs will show 4672 + Sysmon 10
SYSTEM can always dump LSASS — but only legitimate SYSTEM services should be doing so

Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
Privilege Escalation Investigation — detection and response for T1068 techniques
Elastic Security — detection and response for T1654 techniques
Cloud Security Fundamentals — detection and response for T1525 techniques
Linux Security Fundamentals — detection and response for T1059, T1546, T1548 techniques