Trust Relationships

The heart of Windows single sign-on is the access token. When a user logs onto a Windows host, an access token is generated. This token contains information about the user and their rights. The access token also holds information needed to authenticate the current user to another system on the network. Impersonate or generate a token and Windows will use its information to authenticate to a network resource for you.

Use steal_token [pid] or steal_token [pid] <OpenProcessToken access mask> to steal an access token from an existing process.

Token Store

The token store facilitates hot-swappable access tokens. Use token-store steal [pid,...] <OpenProcessToken access mask> to steal an access token and store it. To immediately apply the stolen token, use token-store steal-and-use [pid] <OpenProcessToken access mask>.

The token-store show command lists the access tokens currently available in the token store. Use token-store use [id] to apply an access token to the current Beacon.

token-store remove [id,...] and token-store remove-all commands can be used to remove stored tokens from the store.

If you’d like to see which processes are running use ps. The getuid command will print your current token. Use rev2self to revert back to your original token.

OpenProcessToken access mask suggested values:
blank = default (TOKEN_ALL_ACCESS)
Access mask values:
TOKEN_ASSIGN_PRIMARY . . . . . . : 1
TOKEN_DUPLICATE . . . . . . . . : 2
TOKEN_IMPERSONATE . . . . . . . : 4
TOKEN_QUERY . . . . . . . . . . : 8
TOKEN_QUERY_SOURCE . . . . . . . : 16
TOKEN_ADJUST_GROUPS . . . . . . : 64
TOKEN_ADJUST_DEFAULT . . . . . . : 128



'OpenProcessToken access mask' can be helpful for stealing tokens from processes using 'SYSTEM' user and you have this error: Could not open process token: {pid} (5)

You can set your preferred default with '.steal_token_access_mask' in the Malleable C2 global options.

If you know credentials for a user; use make_token [DOMAIN\user] [password] to generate a token that passes these credentials. This token is a copy of your current token with modified single sign-on information. It will show your current username. This is expected behavior.

The Beacon command pth [pid] [arch] [DOMAIN\user] [ntlm hash] injects into the specified process to generate AND impersonate a token. Use pth [DOMAIN\user] [ntlm hash] (without [pid] and [arch] arguments) to spawn a temporary process to generate AND impersonate a token. This command uses mimikatz to generate AND impersonate a token that uses the specified DOMAIN, user, and NTLM hash as single sign-on credentials. Beacon will pass this hash when you interact with network resources.

Beacon’s Make Token dialog ([beacon] -> Access -> Make Token) is a front-end for these commands. It will present the contents of the credential model and it will use the right command to turn the selected credential entry into an access token.

Kerberos Tickets

A Golden Ticket is a self-generated Kerberos ticket. It's most common to forge a Golden Ticket with Domain Administrator rights

Go to [beacon] -> Access -> Golden Ticket to forge a Golden Ticket from Cobalt Strike. Provide the following pieces of information and Cobalt Strike will use mimikatz to generate a ticket and inject it into your kerberos tray:

  1. The user you want to forge a ticket.
  2. The domain you want to forge a ticket for.
  3. The domain's SID
  4. The NTLM hash of the krbtgt user on a domain controller.

Use kerberos_ticket_use [/path/to/ticket] to inject a Kerberos ticket into the current session. This will allow Beacon to interact with remote systems using the rights in this ticket.

Use kerberos_ticket_purge to clear any Kerberos tickets associated with your session.


Related Topics