T1134.003 Make and Impersonate Token Mappings

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1134.003 Make and Impersonate Token
AC-3 Access Enforcement Protects T1134.003 Make and Impersonate Token
AC-5 Separation of Duties Protects T1134.003 Make and Impersonate Token
AC-6 Least Privilege Protects T1134.003 Make and Impersonate Token
CM-5 Access Restrictions for Change Protects T1134.003 Make and Impersonate Token
CM-6 Configuration Settings Protects T1134.003 Make and Impersonate Token
IA-2 Identification and Authentication (organizational Users) Protects T1134.003 Make and Impersonate Token
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1134.003 Access Token Manipulation: Make and Impersonate Token