Summary
Steal a Windows access token from the target process and impersonate it- Needs Admin: False
- Version: 1
- Author: @Ne0nd0g
Arguments
pid
- Description: The process ID to steal a Windows access token from
- Required Value: True
- Default Value: None
Usage
MITRE ATT&CK Mapping
- T1134.001 Access Token Manipulation: Token Impersonation/Theft
Detailed Summary
View the Merlin documentation website here for an in-depth explanation. Thesteal_token command obtains a handle to a remote process’ access token, duplicates it through the
DuplicateTokenEx
Windows API, and subsequently uses it to perform future post-exploitation commands.