In Cobalt Strike, operators may impersonate tokens from other running processes using steal_token $pid
. Note that the abused token loses power when the process it’s borrowed from is closed.
Storing tokens
Tokens may also be stored for future use with these commands:
token-store steal $pid
token-store show
token-store use $i
token-store remove $i
token-store remove-all
Benefits of storing tokens:
- Better OPSEC (no need to steal over and over, creating fewer handles)
- Tokens can be reused after dropping token (
rev2self
) - Storing a token keeps an open handle to the token, so the user’s logon session is maintained even if the user logs off or if the process terminates.
Note that beacons store their tokens separately, and tokens may not be transferred.