Token Store
The token store facilitates hot-swappable access tokens. Use token-store steal [pid,...] to steal an access token and store it. To immediately apply the stolen token, use token-store steal-and-use [pid] .
The token-store show command lists the access tokens currently available in the token store. Use token-store use [id] to apply an access token to the current Beacon.
token-store remove [id,...] and token-store remove-all commands can be used to remove stored tokens from the store.
If you’d like to see which processes are running use ps. The getuid command will print your current token. Use rev2self to revert back to your original token.
OpenProcessToken access mask suggested values:
Note: 'OpenProcessToken access mask' can be helpful for stealing tokens from processes using 'SYSTEM' user and you have this error:Could not open process token:{pid} (5)
You can set your preferred default with '.steal_token_access_mask' in the Malleable C2 global options.
If you know credentials for a user; use make_token [DOMAIN\user] [password] to generate a token that passes these credentials. This token is a copy of your current token with modified single sign-on information. It will show your current username. This is expected behavior.
The Beacon command pth [pid] [arch] [DOMAIN\user] [ntlm hash] injects into the specified process to generate AND impersonate a token. Use pth [DOMAIN\user] [ntlm hash] (without [pid] and [arch] arguments) to spawn a temporary process to generate AND impersonate a token. This command uses mimikatz to generate AND impersonate a token that uses the specified DOMAIN, user, and NTLM hash as single sign-on credentials. Beacon will pass this hash when you interact with network resources
Beacon’s Make Token dialog ([beacon] -> Access -> Make Token) is a front-end for these commands. It will present the contents of the credential model and it will use the right command to turn the selected credential entry into an access token.
Last updated