Module 11

Question 1

What is the MITRE ATT&CK Tactic ID and name for ‘User Impersonation’?

Answer 1

T1550, Use Alternate Authentication Material.

Question 2

What is the primary purpose of the ‘User Impersonation’ tactic in the adversary lifecycle?

Answer 2

To leverage credential material obtained during Credential Access to assume the identity of another user.

Question 3

When a user successfully authenticates to a Windows system, the authentication package creates a new _____ for that user.

Answer 3

logon session

Question 4

What unique identifier is associated with a Windows logon session?

Answer 4

A Logon Identifier, or LUID.

Question 5

What entity in Windows creates an access token for a user after a successful logon?

Answer 5

The Local Security Authority (LSA).

Question 6

An access token contains security information associated with a _____, such as the user’s SID and group memberships.

Answer 6

logon session

Question 7

What are the two types of access tokens mentioned in the source material?

Answer 7

Primary and impersonation.

Question 8

What type of access token is assigned to every process that starts within a logon session?

Answer 8

A primary access token.

Question 9

In Windows, what object is checked when making access-based decisions for actions performed against securable objects?

Answer 9

The process’s access token.

Question 10

A thread within a process can use an _____ token to carry out actions under a different identity than the main process.

Answer 10

impersonation

Question 11

The information returned by the whoami command is generally taken from what part of the process?

Answer 11

The primary access token of the process.

Question 12

What Windows process stores credentials like plaintext, NTLM/AES hashes, and Kerberos tickets in memory for active logon sessions?

Answer 12

LSASS (Local Security Authority Subsystem Service).

Question 13

What is the term for the technique where an adversary impersonates an access token belonging to another user?

Answer 13

Token Impersonation.

Question 14

In ‘Token Impersonation,’ what is the ‘Make Token’ technique?

Answer 14

An adversary uses the plaintext credentials of a user to create a new access token and then impersonates it.

Question 15

What two Windows APIs are typically used in the ‘Make Token’ technique?

Answer 15

LogonUserA and ImpersonateLoggedOnUser.

Question 16

What is the Beacon command to create and impersonate a new token using plaintext credentials?

Answer 16

make_token [DOMAIN\user] [Password]

Question 17

Does the ‘Make Token’ technique require a high-integrity context?

Answer 17

No, it does not require a high-integrity context.

Question 18

In ‘Token Impersonation,’ what is the ‘Steal Token’ technique?

Answer 18

An adversary steals the primary access token from a process running as a different user.

Question 19

What is the first step, and corresponding API, in the process of stealing a token?

Answer 19

To obtain a handle to the target process using the OpenProcess API.

Question 20

After obtaining a process handle, what is the next API call in the ‘Steal Token’ technique?

Answer 20

OpenProcessToken, to get a handle to its primary access token.

Question 21

What is the Beacon command to steal and impersonate a token from a running process, given its PID?

Answer 21

steal_token [PID]

Question 22

Does the ‘Steal Token’ technique require a high-integrity session?

Answer 22

Yes, it does require a high-integrity session.

Question 23

What is the purpose of the rev2self command in Beacon?

Answer 23

It instructs Beacon to stop impersonating a token, whether it was made or stolen.

Question 24

The Beacon rev2self command is a wrapper for which Windows API call?

Answer 24

RevertToSelf.

Question 25

What is the main downside of the `steal_token` command if the target process closes?

Answer 25

If impersonation is dropped and the process closes, you can no longer impersonate that token again.

Question 26

What feature in Beacon allows an operator to permanently hold a reference to a stolen token, even after the original process has closed?

Answer 26

The token store.

Question 27

What Beacon command is used to steal a token from a process (by PID) and add it to the token store?

Answer 27

token-store steal [PID]

Question 28

What is the MITRE ATT&CK technique ID for 'Pass the Hash'?

Answer 28

T1550.002.

Question 29

What is 'Pass the Hash' (PtH)?

Answer 29

A technique that allows an adversary to leverage an NTLM hash for user impersonation.

Question 30

What underlying tool does Beacon's `pth` command use?

Answer 30

Mimikatz, specifically the 'sekurlsa::pth' module.

Question 31

Why is Pass the Hash becoming a more anomalous and less reliable technique?

Answer 31

Kerberos has replaced NTLM as the default authentication protocol, and NTLM may be restricted in hardened environments.

Question 32

What is the syntax for Beacon's built-in Pass-the-Hash command?

Answer 32

pth [DOMAIN\user] [hash]

Question 33

What is the MITRE ATT&CK technique ID for 'Pass the Ticket'?

Answer 33

T1550.003.

Question 34

What is 'Pass the Ticket' (PtT)?

Answer 34

A technique that allows an adversary to leverage stolen, forged, or requested Kerberos tickets for user impersonation.

Question 35

Why is Pass the Ticket considered superior to Pass the Hash?

Answer 35

It is stealthier because Kerberos is not anomalous, and it uses native Windows APIs, so it is not prevented by PPL.

Question 36

Besides extracting them from memory, how can an adversary legitimately obtain Kerberos tickets for a user?

Answer 36

By requesting them on behalf of a user if they have their NTLM hash or AES encryption keys.

Question 37

What is the Rubeus command to request a Ticket Granting Ticket (TGT) for a user, given their AES key?

Answer 37

asktgt /user:[user] /domain:[domain] /aes256:[key]

Question 38

What is the Beacon command to apply a Kerberos TGT to the current session from a file?

Answer 38

kerberos_ticket_use [path_to_kirbi_file]

Question 39

On which machine must the `.kirbi` file exist when using Beacon's `kerberos_ticket_use` command?

Answer 39

On the computer running the Cobalt Strike client.

Question 40

What is the negative consequence of injecting a TGT for one user into a logon session already belonging to another active user?

Answer 40

It will overwrite or 'clobber' the original user's TGT, potentially impacting their access to domain services.

Question 41

What is the optimal strategy to avoid 'clobbering' tickets when performing a Pass-the-Ticket attack?

Answer 41

Create a new logon session, impersonate it, and then inject the Kerberos ticket into that new session.

Question 42

What Beacon command can create a new logon session (netonly) for the purpose of injecting a Kerberos ticket?

Answer 42

make_token [DOMAIN\user] [FakePassword]

Question 43

What is the purpose of the `kerberos_ticket_purge` command in Beacon?

Answer 43

To remove all Kerberos tickets from the current session without disposing of the session itself.

Question 44

What is a limitation of Beacon's built-in `kerberos_ticket_use` command regarding ticket types?

Answer 44

It will only inject Ticket Granting Tickets (TGTs) and not service tickets.

Question 45

What Rubeus command can inject both TGTs and service tickets, and can accept base64 encoded tickets directly?

Answer 45

The `ptt` command.

Question 46

What is the syntax for Rubeus's `ptt` command when targeting a specific logon session LUID?

Answer 46

ptt /luid:[luid] /ticket:[ticket]

Question 47

What Rubeus command can be used to spawn a hidden process in a new logon session, returning its PID and LUID?

Answer 47

createnetonly

Question 48

After using Rubeus's `createnetonly` and `ptt` commands, what is the final step to utilize the injected ticket?

Answer 48

Steal the token of the spawned process (e.g., using `steal_token [PID]`).

Question 49

After a successful Pass-the-Ticket or Pass-the-Hash, why might the `getuid` command still show the original user's name?

Answer 49

Because the username returned is taken from the primary access token of the process, not from the alternate credential material in the logon session.

Question 50

What is the MITRE ATT&CK technique ID for 'Process Injection'?

Answer 50

T1055.

Question 51

How can process injection be used as a user impersonation technique?

Answer 51

By injecting shellcode into a process a target user is running, the new session runs under the security context of that user.

Question 52

What is the Beacon command to inject shellcode for a given listener into a target process?

Answer 52

inject [PID] [architecture] [listener_name]

Question 53

What privilege level is required to inject shellcode into processes other than your own?

Answer 53

A high-integrity session is required.