Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken
or DuplicateTokenEx
. The token can then be used with ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken
to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW
or CreateProcessAsUserW
. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1134.001 | Token Impersonation/Theft |
AC-03 | Access Enforcement | Protects | T1134.001 | Token Impersonation/Theft |
AC-05 | Separation of Duties | Protects | T1134.001 | Token Impersonation/Theft |
AC-06 | Least Privilege | Protects | T1134.001 | Token Impersonation/Theft |
CM-05 | Access Restrictions for Change | Protects | T1134.001 | Token Impersonation/Theft |
CM-06 | Configuration Settings | Protects | T1134.001 | Token Impersonation/Theft |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1134.001 | Token Impersonation/Theft |
ME-CAE-E3 | Conditional Access Evaluation | Technique Scores | T1134.001 | Token Impersonation/Theft |
DEF-SECA-E3 | Security Alerts | Technique Scores | T1134.001 | Token Impersonation/Theft |
DEF-SECA-E3 | Security Alerts | Technique Scores | T1134.001 | Token Impersonation/Theft |