Last updated
Last updated
We have already seen an example of using Cobalt Strike's steal_token command in the context of pass the ticket. However, if we elevate or land on a system where a user is running a process, we can impersonate its token without having to jump through additional hoops.
If we list the running processes on Workstation 2 from an elevated prompt, we see that jking is running an instance of mmc.exe.
We can simply steal its token and access a target.
This technique works by obtaining a handle to the target process, opening and duplicating its primary access token, and then impersonating that token. The downside is that if the user closes the process, our ability to abuse it goes away. By taking the additional steps of extracting tickets or hashes, we provide ourselves a more guaranteed or "future-proof" way of leveraging the credential material.
When impersonating users in this way, the CS client (since 4.8) updates several UI elements to help you keep track of who (if anybody) you're Beacon is currently impersonating.
