Privilege Escalation¶
Privilege escalation in Stentor follows the Windows integrity model: Medium (standard user) → High (administrator) → SYSTEM (kernel-level). UAC bypass techniques bridge Medium to High without triggering a consent prompt. getsystem elevates from High to SYSTEM via named pipe impersonation or token duplication.
graph LR
A["Medium Integrity<br/>(Standard User)"] -->|UAC Bypass| B["High Integrity<br/>(Administrator)"]
B -->|getsystem| C["SYSTEM<br/>(NT AUTHORITY)"]
style A fill:#f59e0b,color:#000
style B fill:#3b82f6,color:#fff
style C fill:#ef4444,color:#fffMITRE ATT&CK
Privilege escalation maps to T1548.002 - Bypass User Account Control for UAC bypasses, T1134.001 - Token Impersonation/Theft for token manipulation, and T1543.003 - Windows Service for service-based escalation.
Command Reference¶
| Command | Syntax | Technique | From → To | OPSEC Impact | MITRE ATT&CK |
|---|---|---|---|---|---|
elevate check | elevate check | Token inspection | — | None | T1033 |
elevate uac-cmlua | elevate uac-cmlua <listener> | CMSTPLUA COM moniker | Medium → High | Low | T1548.002 |
elevate fodhelper | elevate fodhelper <listener> | Registry hijack | Medium → High | Medium | T1548.002 |
elevate uac-rpc-dom | elevate uac-rpc-dom <listener> | IRpcOptions DCOM | Medium → High | Low | T1548.002 |
elevate uac-token-duplication | elevate uac-token-duplication <listener> | Token duplication | Medium → High | Low | T1134.001 |
elevate svc-exe | elevate svc-exe <listener> | Service binary | High → SYSTEM | High | T1543.003 |
getsystem | getsystem | Named pipe / token dup | High → SYSTEM | Medium | T1134.001 |
runasadmin | runasadmin <exploit> <command> | UAC bypass + command | Medium → High | Varies | T1548.002 |
getuid | getuid | Token query | — | None | T1033 |
getprivs | getprivs | Privilege adjustment | — | None | T1134.002 |
steal_token | steal_token <pid> | Token theft | — | Low | T1134.001 |
make_token | make_token <domain\user> <password> | Logon token | — | Low | T1134.002 |
rev2self | rev2self | Revert impersonation | — | None | T1134.001 |
Checking Current Privileges¶
Before attempting escalation, verify current context and integrity level.
getuid¶
Show the current beacon identity (domain\user).
getprivs¶
Enable all available privileges on the current token. Lists enabled privileges after adjustment.
Interpreting getprivs
A Medium integrity token typically has 5-7 privileges. An elevated (High) token will show SeDebugPrivilege, SeImpersonatePrivilege, SeTcbPrivilege, and others. If SeDebugPrivilege is present, you already have High integrity.
elevate check¶
Check current integrity level and elevation status. Reports whether the process is running elevated and at which integrity level (Low, Medium, High, System).
UAC Bypass Techniques¶
UAC bypass techniques elevate from Medium → High integrity without triggering a UAC consent prompt. Each technique spawns a new elevated beacon on the specified listener.
OPSEC
All UAC bypass techniques require an interactive user session (Session 1+). They will fail from Session 0 (SYSTEM/service context) because they interact with the desktop or registry of the logged-in user.
OPSEC Comparison¶
| Method | Registry Artifacts | Process Spawn | COM Usage | Detection Risk |
|---|---|---|---|---|
| CMSTPLUA | None | cmd.exe (hidden) | Elevation moniker | Low |
| fodhelper | ms-settings key (cleaned up) | fodhelper.exe + cmd.exe | None | Medium |
| uac-rpc-dom | None | Varies | IRpcOptions DCOM | Low |
| uac-token-duplication | None | Elevated process | None | Low |
elevate uac-cmlua¶
CMSTPLUA COM elevation moniker bypass (T1548.002). The most reliable UAC bypass — no registry artifacts, no file drops.
How it works: Instantiates the CMSTPLUA COM object ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}) using the COM elevation moniker, which is whitelisted for auto-elevation. Calls ICMLuaUtil::ShellExec to execute the beacon payload with High integrity. The elevation moniker bypasses the consent prompt because CMSTPLUA is in the Windows auto-elevation allowlist.
OPSEC
Forensic artifacts: COM elevation moniker activation logged in COM+ event log. cmd.exe spawned as child of the COM surrogate with SW_HIDE. No registry modifications. No file drops (payload injected via standard injection technique).
MITRE ATT&CK: T1548.002 — Bypass User Account Control
Recommended
CMSTPLUA is the preferred UAC bypass for most engagements. It has the lowest forensic footprint (no registry writes, no file drops) and the highest reliability across Windows versions.
elevate fodhelper¶
Registry-based UAC bypass via fodhelper.exe (T1548.002). Hijacks the ms-settings shell handler.
How it works: Creates HKCU\Software\Classes\ms-settings\shell\open\command with DelegateExecute set to empty string and the default value pointing to the beacon payload. Invokes fodhelper.exe, which is an auto-elevate binary that reads this registry key and executes the specified command at High integrity. Registry keys are cleaned up immediately after execution.
OPSEC
Forensic artifacts: Registry key creation at HKCU\Software\Classes\ms-settings\shell\open\command (cleaned up post-execution but may be captured by Sysmon Event ID 12/13). Process creation of fodhelper.exe followed by cmd.exe child process.
MITRE ATT&CK: T1548.002 — Bypass User Account Control
elevate uac-rpc-dom¶
IRpcOptions domain-based UAC bypass (T1548.002). Uses COM interface manipulation to change activation context.
How it works: Manipulates the IRpcOptions COM interface to modify the DCOM activation context, enabling the caller to invoke auto-elevate COM objects without the normal UAC prompt flow. This technique exploits how Windows resolves the activation domain for COM objects.
OPSEC
Forensic artifacts: DCOM activation events. No registry artifacts. No file drops.
MITRE ATT&CK: T1548.002 — Bypass User Account Control
elevate uac-token-duplication¶
Token duplication UAC bypass (T1134.001 + T1548.002). Duplicates an elevated token from a privileged process.
How it works: Finds a process running with an elevated (High integrity) token, opens its process token with PROCESS_QUERY_INFORMATION, duplicates the token via DuplicateTokenEx, and uses it to spawn a new process. The spawned process inherits the elevated token and runs at High integrity.
Getsystem (High → SYSTEM)¶
Elevate from High integrity (administrator) to NT AUTHORITY\SYSTEM. Requires an already-elevated beacon.
getsystem¶
Named pipe impersonation with service creation (T1134.001, T1543.003). Two techniques available — auto mode tries both.
How it works (Technique 1 — Named Pipe):
- Creates a named pipe (
\\.\pipe\stentor_XXXX) with a random name - Creates a temporary Windows service whose binary path writes to the pipe (
cmd.exe /c echo ok > \\.\pipe\stentor_XXXX) - Starts the service — the service runs as SYSTEM and connects to the pipe
- Impersonates the named pipe client via
ImpersonateNamedPipeClient, obtaining the SYSTEM token - Duplicates the SYSTEM token and applies it to the beacon thread
- Deletes the temporary service and closes the pipe
How it works (Technique 2 — Token Duplication):
- Enables
SeDebugPrivilegeon the current process token - Enumerates processes to find a SYSTEM process (tries
winlogon.exe,lsass.exe,services.exein order) - Opens the target process token with
TOKEN_DUPLICATE - Duplicates the token via
DuplicateTokenExfor impersonation - Applies the SYSTEM token to the beacon thread
OPSEC
Forensic artifacts (Technique 1): Temporary service creation (Event ID 7045 — service name stentorsvc_XXXX). Named pipe creation. Service is deleted after use but event log entry persists.
Forensic artifacts (Technique 2): OpenProcess on SYSTEM process (Sysmon Event ID 10). SeDebugPrivilege usage. Token duplication.
MITRE ATT&CK: T1134.001 — Token Impersonation/Theft, T1543.003 — Create or Modify System Process: Windows Service
Prerequisite
getsystem requires High integrity (elevated administrator). The server-side handler validates integrity level before dispatching the command. If you're at Medium integrity, use a UAC bypass first.
Service-Based Escalation¶
elevate svc-exe¶
Service binary execution (T1543.003). Creates a Windows service that runs a beacon payload as SYSTEM.
How it works: Drops a service EXE to disk, creates a Windows service pointing to that binary, and starts the service. The service runs as LocalSystem and executes the beacon payload, which connects back as a new SYSTEM-level beacon. More persistent than getsystem but leaves more artifacts.
OPSEC
Forensic artifacts: Service binary dropped to disk. Service creation (Event ID 7045). Service start (Event ID 7036). The service binary is a standalone beacon EXE — higher detection surface than getsystem.
MITRE ATT&CK: T1543.003 — Create or Modify System Process: Windows Service
Potato Privilege Escalation¶
Potato techniques exploit Windows COM/DCOM and token impersonation to escalate from service accounts (SeImpersonatePrivilege) to NT AUTHORITY\SYSTEM. These are service-to-SYSTEM escalation techniques (distinct from UAC bypass which is user-to-admin).
Prerequisite
All Potato techniques require SeImpersonatePrivilege. This is present by default on service accounts, IIS AppPool identities, SQL Server, and other Windows service contexts. Use getprivs to check.
elevate sweetpotato¶
SweetPotato (T1134.001). Abuses the COM/DCOM activation service to capture a SYSTEM token via a fake OXID resolver, then creates a new process as SYSTEM using CreateProcessAsUserW.
OPSEC
- High risk -- COM object activation and token manipulation generate multiple event log entries
- Named pipe impersonation creates pipe server (detectable via Sysmon Event 17/18)
- Uses shared
checkSeImpersonatePrivilegehelper andCreateProcessAsUserWfor token-based process creation - MITRE ATT&CK: T1134.001 — Token Impersonation/Theft
elevate godpotato¶
GodPotato (T1134.001). Uses a different COM/DCOM abuse path through RpcSs service interaction to obtain a SYSTEM token. Works on Windows Server 2019+ where SweetPotato may be patched.
OPSEC
- High risk -- similar to SweetPotato with COM/DCOM interaction artifacts
- Token impersonation via
DuplicateTokenEx+CreateProcessAsUserW - MITRE ATT&CK: T1134.001 — Token Impersonation/Theft
elevate juicypotatong¶
JuicyPotatoNG (T1134.001). Brute-forces 12 CLSIDs at 500ms intervals to find an exploitable COM server for token capture. Most reliable across different Windows versions but slowest (up to 6 seconds for CLSID brute-force).
OPSEC
- High risk -- brute-forces 12 CLSIDs which generates multiple COM activation events
- Each CLSID attempt takes 500ms (up to 6 seconds total)
- Named pipe impersonation reuses
getsystemnamed pipe proc infrastructure - MITRE ATT&CK: T1134.001 — Token Impersonation/Theft
Choosing a Potato technique
| Technique | Speed | Compatibility | Best For |
|---|---|---|---|
sweetpotato | Fast | Win10/Server 2016+ | First choice -- fastest execution |
godpotato | Fast | Server 2019+ | When SweetPotato fails (patched environments) |
juicypotatong | Slow (6s) | Broadest | Last resort -- brute-forces multiple CLSIDs |
RunAsAdmin¶
runasadmin¶
Execute an arbitrary command with UAC bypass. Unlike elevate (which spawns a new beacon), runasadmin runs a specific command at elevated privilege.
Syntax: runasadmin <exploit> <command>
Supported exploits: uac-cmlua, uac-rpc-dom, uac-token-duplication, fodhelper
When to use
Use runasadmin when you need to run a single elevated command without spawning a full beacon. For persistent elevated access, use elevate instead.
Token Manipulation¶
Token manipulation allows the beacon to impersonate other users' security contexts for network operations, lateral movement, and privilege changes.
steal_token¶
Steal and impersonate a token from a running process (T1134.001).
How it works: Opens the target process handle, opens its process token with TOKEN_DUPLICATE | TOKEN_QUERY, duplicates the token via DuplicateTokenEx as an impersonation token, and applies it to the beacon thread via ImpersonateLoggedOnUser.
OPSEC
Requires SeDebugPrivilege for cross-session token theft. OpenProcess on target PID generates Sysmon Event ID 10. Token duplication and impersonation events are logged.
MITRE ATT&CK: T1134.001 — Access Token Manipulation: Token Impersonation/Theft
make_token¶
Create a network logon token for a specified user (T1134.002). The token is created using LOGON32_LOGON_NEW_CREDENTIALS, which means it only affects network operations — local identity (getuid) remains unchanged.
Network-only identity
make_token does not change your local identity. getuid will still show the original user. The new credentials are only used for network authentication (SMB, LDAP, WinRM, etc.). This is ideal for lateral movement with harvested credentials.
OPSEC
LogonUserW with LOGON32_LOGON_NEW_CREDENTIALS generates Event ID 4624 (Logon Type 9 — NewCredentials). Minimal forensic footprint since no network authentication occurs until the token is actually used.
MITRE ATT&CK: T1134.002 — Access Token Manipulation: Create Process with Token
rev2self¶
Drop all impersonation and revert to the beacon's original identity.
Always rev2self
After completing operations with a stolen or created token, always call rev2self to return to the original beacon identity. Lingering impersonation tokens can cause unexpected behavior with subsequent commands.
Token Store¶
The token store allows managing multiple stolen tokens without immediately impersonating them. Tokens are stored by ID and can be activated on demand.
token_store steal¶
Steal a token from a process and store it without impersonating.
token_store use¶
Impersonate a stored token by ID.
token_store show¶
List all stored tokens with their IDs, users, and source PIDs.
beacon> token_store show
[*] Stored tokens:
ID User Source PID
1 DOMAIN\AdminUser 1234
2 DOMAIN\SQLService 5678
3 NT AUTHORITY\SYSTEM 4
token_store remove¶
Remove a specific stored token by ID.
token_store remove_all¶
Clear all stored tokens.
Token Store Workflow
The token store is useful when you've identified multiple high-value tokens across different processes. Store them all first with token_store steal, then switch between identities using token_store use and rev2self as needed for different operations.
Operator Workflows¶
UAC Bypass Workflow¶
Escalate from Medium to High integrity:
beacon> getuid
[*] WORKSTATION\LabUser
beacon> elevate check
[*] Process is running with standard user privileges (Integrity: Medium)
beacon> elevate uac-cmlua https-listener
[*] UAC bypass via CMSTPLUA -- elevated execution started
# Switch to the new elevated beacon
beacon> getuid
[*] WORKSTATION\LabUser
beacon> elevate check
[*] Process is running with elevated privileges (Integrity: High)
Full SYSTEM Workflow¶
Escalate from Medium to SYSTEM in two steps:
# Step 1: Medium → High (UAC bypass)
beacon> elevate uac-cmlua https-listener
[+] New beacon: WORKSTATION\LabUser (High Integrity)
# Step 2: High → SYSTEM (getsystem)
beacon> getsystem
[*] Impersonating NT AUTHORITY\SYSTEM [via named pipe impersonation]
beacon> getuid
[*] NT AUTHORITY\SYSTEM
Token Theft Workflow¶
Impersonate another user for network operations:
# Find interesting processes
beacon> ps
[*] PID PPID Name User
1234 456 explorer.exe DOMAIN\DomainAdmin
5678 456 sqlservr.exe DOMAIN\SQLService
# Steal the domain admin token
beacon> steal_token 1234
[*] Impersonating DOMAIN\DomainAdmin (stolen from PID 1234)
# Perform privileged network operations
beacon> ls \\dc01\c$
[*] Listing: \\dc01\c$\...
# Revert when done
beacon> rev2self
[*] Reverted to original token
Multi-Identity Workflow¶
Use the token store to manage multiple identities:
# Harvest tokens from multiple processes
beacon> token_store steal 1234
[*] Token stored as ID 1 (DOMAIN\DomainAdmin)
beacon> token_store steal 5678
[*] Token stored as ID 2 (DOMAIN\SQLService)
# Use admin token for AD operations
beacon> token_store use 1
beacon> dcsync /user:krbtgt
# Switch to SQL service for database access
beacon> rev2self
beacon> token_store use 2
beacon> remote-exec wmi sql01 "whoami"
# Clean up
beacon> rev2self
beacon> token_store remove_all
WMI Event Subscription Persistence¶
Create WMI event subscriptions for persistent code execution across reboots. Uses the COM IWbemServices interface to install __EventFilter, CommandLineEventConsumer, and __FilterToConsumerBinding objects in the root\subscription WMI namespace.
persist wmi¶
Syntax: persist wmi <name> <command> [trigger]
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Subscription name (used for cleanup) |
command | string | Yes | Command to execute on trigger |
trigger | string | No | WQL event query (default: system startup) |
Removal:
beacon> persist wmi_remove StentorBackup
[*] WMI subscription 'StentorBackup' removed (filter + consumer + binding)
OPSEC
- Medium risk -- WMI subscriptions are a well-known persistence mechanism
- Creates objects in
root\subscriptionnamespace (queryable viaGet-WMIObject) - Event ID 5861 (WMI Activity) logged when subscription fires
- Uses COM
IWbemServicesinterface (reuses existing COM vtable infrastructure from scheduled task module) - Subscription survives reboots and runs as SYSTEM
- MITRE ATT&CK: T1546.003 — Event Triggered Execution: WMI Event Subscription