Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx.(Citation: DuplicateToken function) The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.001 | Token Impersonation/Theft |
Comments
This diagnostic statement protects against Token Impersonation/Theft through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1134.001 | Token Impersonation/Theft | |
| CM-05 | Access Restrictions for Change | mitigates | T1134.001 | Token Impersonation/Theft | |
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1134.001 | Token Impersonation/Theft | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1134.001 | Token Impersonation/Theft | |
| AC-02 | Account Management | mitigates | T1134.001 | Token Impersonation/Theft | |
| AC-03 | Access Enforcement | mitigates | T1134.001 | Token Impersonation/Theft | |
| AC-05 | Separation of Duties | mitigates | T1134.001 | Token Impersonation/Theft | |
| AC-06 | Least Privilege | mitigates | T1134.001 | Token Impersonation/Theft |