Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken
or DuplicateTokenEx
.(Citation: DuplicateToken function) The token can then be used with ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken
to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW
or CreateProcessAsUserW
. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) | Attack Pattern | Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) | Attack Pattern | 1 |