T1134.003 Make and Impersonate Token Mappings

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1134.003 Make and Impersonate Token
AC-03 Access Enforcement Protects T1134.003 Make and Impersonate Token
AC-05 Separation of Duties Protects T1134.003 Make and Impersonate Token
AC-06 Least Privilege Protects T1134.003 Make and Impersonate Token
CM-05 Access Restrictions for Change Protects T1134.003 Make and Impersonate Token
CM-06 Configuration Settings Protects T1134.003 Make and Impersonate Token
IA-02 Identification and Authentication (organizational Users) Protects T1134.003 Make and Impersonate Token