Demystifying Cobalt Strike’s “make_token” Command
Tags
attack-pattern: Authentication Package - T1547.002 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Impersonation - T1656 Tool - T1588.002 Authentication Package - T1131 Connection Proxy - T1090 Remote Services - T1021
Show in Graph
Common Information
Type Value
UUID 87c3389c-ce45-45fa-b7a6-b6518a1f5ff5
Fingerprint a622c7131cadf154
Analysis status DONE
Considered CTI value 0
Text language
Published Nov. 10, 2023, 2:51 p.m.
Added to db Nov. 19, 2023, 10:29 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Demystifying Cobalt Strike’s “make_token” Command
Title Demystifying Cobalt Strike’s “make_token” Command
Detected Hints/Tags/Attributes 46/1/20
Source URLs
Redirection Url
Details Source https://research.nccgroup.com/2023/11/10/demystifying-cobalt-strikes-make_token-command/
URL Provider
Details Provider Source level domain
Details nccgroup.com research.nccgroup.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 206 https://research.nccgroup.com/feed/ 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 23 
www.cobaltstrike.com
Details Domain 768 
www.youtube.com
Details Domain 207 
learn.microsoft.com
Details Domain 281 
docs.microsoft.com
Details Domain 1 
attl4s.github.io
Details File 2126 
cmd.exe
Details File 21 
runas.exe
Details File 99 
passwords.txt
Details File 1 
understanding_windows_lateral_movements_2023.pdf
Details Url 2 
https://www.cobaltstrike.com/blog/windows-access-tokens-and-alternate-credentials
Details Url 1 
https://www.youtube.com/watch?v=9h4mwm9jtei
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
Details Url 1 
https://learn.microsoft.com/es-es/windows/win32/api/winbase/nf-winbase-logonusera
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
Details Url 1 
https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken
Details Url 1 
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-logon-sessions
Details Url 1 
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-tokens
Details Url 1 
https://attl4s.github.io/assets/pdf/understanding_windows_lateral_movements_2023.pdf