The grab_token command can hot-swap tokens on the fly like any other feature of the badger without having to sacrifice an existing token that you’ve already stolen. The badger contains a mini storage container, which can store any number of stolen tokens which are swappable at runtime. Note that you would still need local administrative privilege on the host to steal the token. Reason being, to get a token, you need to use the OpenProcess API and get a HANDLE for that process with token read rights. This is only accessible to the process owner, the parent process or a local administrator on the host. The grab_token command extracts the token from a process and stores it in the Token Vault. You can use the token_vault command to view all the tokens stored in the vault, and then use the impersonate command to impersonate an existing token stored in the vault using a token’s ID or their username from the token vault.
The vault_remove and vault_clear commands can be used to remove one or all tokens from the token vault.