Skip to content

Hide Navigation Hide TOC

Potential Access Token Abuse (02f7c9c1-1ae8-4c6a-8add-04693807f92f)

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Cluster A Galaxy A Cluster B Galaxy B Level
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Potential Access Token Abuse (02f7c9c1-1ae8-4c6a-8add-04693807f92f) Sigma-Rules 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2