Last updated
Last updated
The make_token
command allows you to impersonate a user if you know their plaintext password. This works under the hood by calling the API, which takes several parameters including a username, password, domain name and logon type. In this instance, the LOGON32_LOGON_NEW_CREDENTIALS
logon type is used, which allows the caller to clone its current token and specify new credentials for outbound network connections.
The API outputs a handle to a token which can then be passed to the API. This allows the calling thread to impersonate the context of token (i.e. the impersonated user's context).
The logon session created with LogonUserA has the same local identifier as the caller but the alternate credentials are used when accessing a remote resource.
This also means that make_token
is not applicable to anything you may want to run on the current machine. For that, spawnas
may be a better solution.
These logon events can be found in Kibana with the following query:
Where 4624 is the "An account was successfully logged on" Event ID and LogonType 9 is LOGON32_LOGON_NEW_CREDENTIALS. The events will show who the caller was, what user they impersonated, the calling process name, ID, and more.
One unfortunate downside to detecting this technique is that runas /netonly
behaves in the same way. So it may be difficult to distinguish legitimate and malicious events.