Full Report
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows server. Looking at the users connected on the same server, I knew that a domain administrator account was connected. All I had to do to compromise the domain, was compromise the account. This could be achieved by dumping the memory of the LSASS process and collecting their credentials or Kerberos TGT’s. Seemed easy until I realised an EDR was installed on the system. Long story short, I ended up compromising the domain admin account without touching the LSASS process. To do so, I relied on an internal Windows mechanism called token manipulation.
Analysis Summary
# Tool/Technique: Token Manipulation (via Impersonate Binary and CME Module)
## Overview
The technique involves abusing an internal Windows mechanism called **token manipulation** to usurp the security context (Access Token) of a logged-on user, specifically a Domain Administrator, without needing to interact with or compromise the Local Security Authority Subsystem Service (LSASS) process. This bypasses common security measures designed to detect credential dumping from LSASS memory.
## Technical Details
- Type: Technique (Leveraged by custom Tool)
- Platform: Windows
- Capabilities: Impersonating other user contexts, executing commands or creating new user accounts with elevated privileges by using existing session tokens.
- First Seen: The concept of token manipulation dates back (e.g., Incognito toolkit in 2012), but the specific implementation presented here (Impersonate tool) was detailed in October 2022.
## MITRE ATT&CK Mapping
- **TA0005 - Privilege Escalation**
- T1134 - Access Token Manipulation
- T1134.001 - **Token Impersonation/Theft** (Primary mapping, focusing on using existing tokens to elevate context)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Implied, especially when using the CME module for remote execution/impersonation)
- **TA0003 - Persistence**
- T1136.001 - Create Account: Local Account (The tool provides a module to add a domain user and assign them to Domain Admins, establishing persistence/control)
## Functionality
### Core Capabilities
* **Token Listing:** Identifying available session tokens on the system (`Impersonate.exe list`).
* **Impersonation:** Using the `ImpersonateLoggedOnUser` function to elevate privileges by adopting the primary token of another user already connected (e.g., a Domain Administrator session).
* **Command Execution:** Running arbitrary commands under the context of the usurped token (`Impersonate.exe exec <token_id> <command>`).
### Advanced Features
* **Domain Compromise:** Ability to create a new user account in the Active Directory domain, set its password, and add it to the Domain Admins group, provided the attacker holds an `NT AUTHORITY\SYSTEM` shell and can successfully impersonate a Domain Admin token (`Impersonate.exe adduser`).
* **EDR Evasion:** Specifically designed to achieve privilege escalation and credential theft objectives without accessing LSASS memory, thereby evading common EDR monitoring focused on memory scraping.
* **Remote Applicability:** Availability of a **CrackMapExec (CME) module** allowing this technique to be applied remotely across domain infrastructure.
## Indicators of Compromise
The summary focuses on the technique and the tool used to execute it, rather than exploitation artifacts derived from traditional malware execution.
- File Hashes: Not provided for the custom tool (`Impersonate.exe`).
- File Names: `Impersonate.exe`, `impersonate.py` (CrackMapExec module).
- Registry Keys: Not applicable/mentioned.
- Network Indicators: Not applicable, as the core technique operates locally on a compromised host but can be executed remotely via CME.
- Behavioral Indicators:
* Successful invocation of Windows API functions related to token manipulation (e.g., `ImpersonateLoggedOnUser`).
* Process execution under an unexpected high-privilege context (e.g., a process executing as Domain Admin when the initial access was SYSTEM).
* Creation of a new, suspicious user account in Active Directory with Domain Admin privileges.
## Associated Threat Actors
The article describes a technique used during an "internal assessment" (Red Team/Penetration Testing context). The specific tool (`Impersonate`) and CME module were developed by SensePost researchers. The technique itself is general knowledge leveraged by advanced adversaries.
## Detection Methods
The article notes that common security solutions (McAfee, Trellix, SentinelOne, Windows Defender) failed to block the execution of the `Impersonate` binary.
- Signature-based detection: Likely ineffective against custom binaries unless hashes/signatures are rapidly generated and distributed.
- Behavioral detection: Focus must shift to monitoring the target Windows API calls related to token manipulation (`ImpersonateLoggedOnUser`, managing primary tokens) when executed by non-standard parent processes or from non-standard processes. Monitoring for the creation of new Domain Admin accounts is crucial.
- YARA rules: Not provided.
## Mitigation Strategies
* **Prevention:** Restricting or auditing processes that can call sensitive token manipulation APIs if they do not have a legitimate need (e.g., system administration tooling).
* **Hardening Recommendations:**
* Implement LAPS (Local Administrator Password Solution) to prevent reuse of local admin hashes found via other means.
* Restrict the use of high-privilege accounts (Domain Admins) for non-administrative tasks.
* Apply principle of least privilege rigorously. If attacks originate from a compromised server via SYSTEM, ensure that the initial exploitation vector is patched/mitigated.
* Monitor for the required privilege (`SeImpersonatePrivilege`) being active and subsequently used.
## Related Tools/Techniques
* **Incognito:** An older, foundational toolkit integrated into Metasploit used for token manipulation.
* **Mimikatz:** The predecessor technique discussed, used for dumping LSASS memory, which this technique is designed to bypass.
* **CrackMapExec (CME):** Used here to run the token manipulation logic remotely via a specialized module.