Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.AA-05.01 | Access privilege limitation | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1134.003 | Make and Impersonate Token |
Comments
This diagnostic statement protects against Make and Impersonate Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1134.003 | Make and Impersonate Token | |
| CM-05 | Access Restrictions for Change | mitigates | T1134.003 | Make and Impersonate Token | |
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1134.003 | Make and Impersonate Token | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-02 | Account Management | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-03 | Access Enforcement | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-05 | Separation of Duties | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-06 | Least Privilege | mitigates | T1134.003 | Make and Impersonate Token |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1134.003 | Make and Impersonate Token |