Powershell Empire – Token Impersonation
I have been struggling trying to get token impersonation to work in Empire 2.0.
I use the credentials/mimitokens module to list and elevate to use a specific users token - I see mimikatz' output saying the token is impersonated, but using info on the agent still shows my old user, and shell whoami also shows my old user.
If I then use the module /credentials/tokens and set WhoAmI to true it shows the impersonated user as the user which is good, but I have been struggling to get it to spawn a cmd.exe process to see if it uses the impersonated creds.
I have looked around a lot, and there doesn't seem to be too much explanation for the options here. Any help would be much appreciated! I can get the message "run as Domain\Chris" from steal_token - but again, I'm not sure what exactly is then running as Chris as shell whoami and info both still show the old user?
I was hoping that it would work like incognito in meterpreter and that the agent would now be running as the impersonated user, but this doesn't seem to be the case. Does it only use the creds for network commands?
From what I can tell of using the /credentials/mimikatz/command module and then setting the command to:
tokens::elevate /user:Chris
it impersonates the user, but as soon as the command is run it drops the process so I can't then use:
process::start cmd.exe
or anything to then use the impersonated credentials. I may well be misunderstanding something here though.
