Skip to main content

Summary

Create a new Type 9 logon session and Windows access token for the provided credentials.
Type 9 - NewCredentials tokens only work for NETWORK authenticated activities
View the RunAs command to execute programs on the local host as a different user.
  • Needs Admin: False
  • Version: 1
  • Author: @Ne0nd0g

Arguments

user

  • Description: Domain and username to make a token for (e.g. ACME\RASTLEY)
  • Required Value: True
  • Default Value: None

pass

  • Description: The account’s password
  • Required Value: True
  • Default Value: None

Usage

make_token -user <DOMAIN\Username> -pass <password>
OR 
make_token <DOMAIN\Username> <password>

MITRE ATT&CK Mapping

  • T1134.003 Access Token Manipulation: Make and Impersonate Token

Detailed Summary

View the Merlin documentation website here for an in-depth explanation. The make_token command is used to create a new Windows access token with the Windows LogonUserW API call. The token is created with a type 9 - NewCredentials logon type. This is the equivalent of using runas.exe /netonly.
Type 9 - NewCredentials tokens only work for NETWORK authenticated activities
Commands such as token whoami will show the username for the process and not the created token due to the logon type, but will reflect the new Logon ID
View the RunAs command to execute programs on the local host as a different user.