Skip to content

Hide Navigation Hide TOC

Potential Access Token Abuse (02f7c9c1-1ae8-4c6a-8add-04693807f92f)

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Access Token Abuse (02f7c9c1-1ae8-4c6a-8add-04693807f92f) Sigma-Rules Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 1
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 2