Token Store
Cobalt Strike 4.8 introduced a new set of commands called token-store. This is an evolution on the steal_token command which allows you to steal and store tokens for future use. For example, steal a token and add it to the token store with token-store steal <pid>.
You may list all the tokens in the store with token-store show and impersonate one using token-store use <id>.
The rev2self command will drop the impersonation token, but it will remain in the store so that it can be impersonated again. A token can be removed from the store using token-store remove <id> or the entire store flushed with token-store remove-all.
The primary advantages of the token store are two-fold. The first is that we don't have to carry out the stealing process multiple times, which is better OPSEC. Since stealing a token requires opening a handle to the target process and process token, the fewer times you do that, the better. The second is that maintaining an open handle to the duplicated token prevents Windows from disposing of the user's logon session if they were to logoff or terminate the process we stole from.
It's important to note that each Beacon has its own token store. You cannot transfer tokens from one Beacon to another, even if they're on the same host.
Last updated