T1134.001 Token Impersonation/Theft Mappings

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1134.001 Token Impersonation/Theft
AC-03 Access Enforcement Protects T1134.001 Token Impersonation/Theft
AC-05 Separation of Duties Protects T1134.001 Token Impersonation/Theft
AC-06 Least Privilege Protects T1134.001 Token Impersonation/Theft
CM-05 Access Restrictions for Change Protects T1134.001 Token Impersonation/Theft
CM-06 Configuration Settings Protects T1134.001 Token Impersonation/Theft
IA-02 Identification and Authentication (organizational Users) Protects T1134.001 Token Impersonation/Theft
ME-CAE-E3 Conditional Access Evaluation Technique Scores T1134.001 Token Impersonation/Theft
DEF-SECA-E3 Security Alerts Technique Scores T1134.001 Token Impersonation/Theft
DEF-SECA-E3 Security Alerts Technique Scores T1134.001 Token Impersonation/Theft