Impersonation

Make Token

Creates an access token using plaintext credentials. No impact on local actions - only affects network interactions.

Does NOT require high integrity.

make_token INLANEFREIGHT\tmorgan Passw0rd!
[+] Impersonated INLANEFREIGHT\tmorgan (netonly)

ls \\ilf-ws-1\c$

Steal Token

Steals the primary access token from a process running as a different user.

Requires high integrity.

ps

 PID   PPID  Name                       Arch  Session     User
 ---   ----  ----                       ----  -------     ----
 5248  1864  cmd.exe                    x64   0           INLANEFREIGHT\tmorgan
 5256  5248      conhost.exe            x64   0           INLANEFREIGHT\tmorgan
 5352  5248      mmc.exe                x64   0           INLANEFREIGHT\tmorgan
 
steal_token 5248
[+] Impersonated INLANEFREIGHT\tmorgan

Token Store

Permanently holds a reference to tokens, even after the original process closes.

Pass the Hash (Avoid if Possible)

⚠️ Prefer Pass the Ticket - NTLM is anomalous and may be restricted in hardened environments.

Pass the Ticket

Superior to PtH:

• Kerberos auth is not anomalous

• Not restricted like NTLM

• Uses native Windows APIs (doesn't patch LSASS)

• Not prevented by PPL

Request TGT with AES256

Using NTLM hash returns RC4-encrypted tickets (not advisable).

Inject TGT (kerberos_ticket_use)

Requires .kirbi file on the CS client machine.

Convert base64 ticket to .kirbi:

⚠️ Injecting a TGT overwrites any existing ticket in the logon session.

Create new logon session first (fake password):

Inject TGT (Rubeus Method)

Rubeus ptt accepts base64 tickets directly and works with both TGTs and service tickets.

Create hidden process in new logon session:

The getuid Confusion

steal_token and getuid return the username from the primary access token, not the impersonated user from PtT/PtH. This is expected behavior.

Process Injection

Inject Beacon shellcode directly into a process owned by another user.

Requires high integrity.

Drop Impersonation

Quick Reference