I'm a bit late on this subject, but I think it's worth a post. For those who usually do pentesting and usually get some access to Windows boxes, but are looking for a specific credential (like a domain admin), impersonating access tokens available can be a very useful approach. The details about how to do it and tools available can be found in this paper from Luke Jennings.By the way, Jennings also published some good stuff about MQ Series and general mainframe security stuff. You can find it (and more) at MWR Labs.