Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session's access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1134.003 | Make and Impersonate Token |
AC-3 | Access Enforcement | Protects | T1134.003 | Make and Impersonate Token |
AC-5 | Separation of Duties | Protects | T1134.003 | Make and Impersonate Token |
AC-6 | Least Privilege | Protects | T1134.003 | Make and Impersonate Token |
CM-5 | Access Restrictions for Change | Protects | T1134.003 | Make and Impersonate Token |
CM-6 | Configuration Settings | Protects | T1134.003 | Make and Impersonate Token |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1134.003 | Make and Impersonate Token |
action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1134.003 | Access Token Manipulation: Make and Impersonate Token |