search

coin-verticalToken Impersonation

hashtag
Tokens

  • like cookies for computers

  • temp keys that allow you to access system/network without providing creds each time

  • Two types

    • Delegate

      • created for logging in or using remote desktop

    • Impersonate

      • non-interactive, such as attaching a network drive or a logon script

hashtag
Attack

hashtag
Metasploit

  • Get a meterpreter shell

  • load incognito

    • list_tokens -u

    • impersonate_token [user listed] (ie: marvel\fcastle)

    • shell

  • once we have been able to get local admin on a machine, we can add a user for our benefit

hashtag
Potato Attacks

Must have account which has privileges to impersonate security tokens (SeImpersonte or SeAssignPrimaryToken)

hashtag
Rotten Potato

LogoRotten Potato – Privilege Escalation from Service Accounts to SYSTEMfoxglovesecchevron-right

hashtag
Juicy Potato

LogoGitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHubchevron-right

hashtag
Defense

hashtag
Limit user/group token creation permission

hashtag
Account tiering

hashtag
Local admin restriction

PreviousKerberoastingNextLNK File Attacks

Last updated