Published: 19 October 2020    Last Updated: 05 July 2023

Incognito is a tool which can be used for privilege escalation, typically from Local Administrator to Domain Administrator. It achieves this by allowing for token impersonation. As a local administrator can read the entirety of memory, if a domain administrator is logged in their authentication token can be stolen. We'll investigate its use here.

There are several types of authentication token on Windows systems, but Delegation tokens can be used network wide. This therefore allows a threat actor to extract one of these tokens and then execute commands on other machines (such as the Domain Controller). Incognito can be executed within Meterpreter, or as a standalone EXE.