Invoke-TokenManipulation - Empire Module
This page contains detailed information about how to use the powershell/credentials/tokens Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-TokenManipulation
Module: powershell/credentials/tokens
Source code [1]: empire/server/modules/powershell/credentials/tokens.yaml
Source code [2]: empire/server/modules/powershell/credentials/tokens.py
MITRE ATT&CK:
T1134, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
The tokens module runs PowerSploit's Invoke-TokenManipulation to enumerate Logon Tokens available and uses them to create new processes. Similar to Incognito's functionality. Note: if you select ImpersonateUser or CreateProcess, you must specify one of Username, ProcessID, Process, or ThreadId.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the tokens module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the tokens module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the tokens module:
CreateProcess
Specify a process to create instead of impersonating the user.
ImpersonateUser
Switch. Will impersonate an alternate users logon token in the PowerShell thread.
NoUI
Switch. Use if creating a process which doesn't need a UI.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String
.
Suggested values: Out-String
, ConvertTo-Json
, ConvertTo-Csv
, ConvertTo-Html
, ConvertTo-Xml
.
Process
Process name to impersonate token of.
ProcessArgs
Arguments for a spawned process.
ProcessID
ProcessID to impersonate token of.
RevToSelf
Switch. Revert to original token.
ShowAll
Switch. Enumerate all tokens.
ThreadId
Thread to impersonate token of.
Username
Username to impersonate token of.
WhoAmI
Switch. Displays current credentials.
Tokens Example Usage
Here's an example of how to use the tokens module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/tokens
Author @JosephBialek
Background False
Comments http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-
impersonation/
Description Runs PowerSploit's Invoke-TokenManipulation to enumerate Logon Tokens
available and uses them to create new processes. Similar to
Incognito's functionality. Note: if you select ImpersonateUser or
CreateProcess, you must specify one of Username, ProcessID, Process,
or ThreadId.
Language powershell
Name powershell/credentials/tokens
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1134
,Record Options---,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-----------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-----------------|------------|----------|-------------------------------------|
| CreateProcess | | False | Specify a process to create instead |
| | | | of impersonating the user. |
|-----------------|------------|----------|-------------------------------------|
| ImpersonateUser | | False | Switch. Will impersonate an |
| | | | alternate users logon token in the |
| | | | PowerShell thread. |
|-----------------|------------|----------|-------------------------------------|
| NoUI | | False | Switch. Use if creating a process |
| | | | which doesn't need a UI. |
|-----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|-----------------|------------|----------|-------------------------------------|
| Process | | False | Process name to impersonate token |
| | | | of. |
|-----------------|------------|----------|-------------------------------------|
| ProcessArgs | | False | Arguments for a spawned process. |
|-----------------|------------|----------|-------------------------------------|
| ProcessID | | False | ProcessID to impersonate token of. |
|-----------------|------------|----------|-------------------------------------|
| RevToSelf | | False | Switch. Revert to original token. |
|-----------------|------------|----------|-------------------------------------|
| ShowAll | | False | Switch. Enumerate all tokens. |
|-----------------|------------|----------|-------------------------------------|
| ThreadId | | False | Thread to impersonate token of. |
|-----------------|------------|----------|-------------------------------------|
| Username | | False | Username to impersonate token of. |
|-----------------|------------|----------|-------------------------------------|
| WhoAmI | | False | Switch. Displays current |
| | | | credentials. |
'-----------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/credentials/tokens) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/tokens) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/tokens.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/tokens.py
- http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1134
See Also
Check also the following modules related to this module:
- powershell/credentials/rubeus
- powershell/credentials/vault_credential
- powershell/credentials/invoke_kerberoast
- powershell/credentials/DomainPasswordSpray
- powershell/credentials/sessiongopher
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/powerdump
- powershell/credentials/enum_cred_store
- powershell/credentials/invoke_ntlmextract
- powershell/credentials/get_lapspasswords
- powershell/credentials/sharpsecdump
- powershell/credentials/credential_injection
- powershell/credentials/mimikatz/pth
- powershell/credentials/mimikatz/silver_ticket
- powershell/credentials/mimikatz/cache
- powershell/credentials/mimikatz/command
- powershell/credentials/mimikatz/terminal_server
- powershell/credentials/mimikatz/extract_tickets
- powershell/credentials/mimikatz/keys
- powershell/credentials/mimikatz/sam
- powershell/credentials/mimikatz/trust_keys
- powershell/credentials/mimikatz/purge
- powershell/credentials/mimikatz/logonpasswords
- powershell/credentials/mimikatz/certs
- powershell/credentials/mimikatz/dcsync
- powershell/credentials/mimikatz/lsadump
- powershell/credentials/mimikatz/mimitokens
- powershell/credentials/mimikatz/golden_ticket
- powershell/credentials/mimikatz/dcsync_hashdump
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.