Home
ATT&CK Techniques
T1134 Access Token Manipulation

T1134 Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)

Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.AA-05.02	Privileged system access	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement protects against Access Token Manipulation through the use of privileged account management and the use of multi-factor authentication. References
DE.CM-06.02	Third-party access monitoring	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement protects against Access Token Manipulation through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems. References
PR.AA-05.01	Access privilege limitation	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques. References
PR.AA-01.02	Physical and logical access	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts. References
PR.IR-01.06	Production environment segregation	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise. References
PR.AA-01.01	Identity and credential management	Mitigates	T1134	Access Token Manipulation	Comments This diagnostic statement protects against Access Token Manipulation through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
IA-13	Identity Providers and Authorization Servers	mitigates	T1134	Access Token Manipulation
CM-06	Configuration Settings	mitigates	T1134	Access Token Manipulation
CM-05	Access Restrictions for Change	mitigates	T1134	Access Token Manipulation
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1134	Access Token Manipulation
AC-02	Account Management	mitigates	T1134	Access Token Manipulation
AC-03	Access Enforcement	mitigates	T1134	Access Token Manipulation
AC-05	Separation of Duties	mitigates	T1134	Access Token Manipulation
AC-06	Least Privilege	mitigates	T1134	Access Token Manipulation

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Unknown	Unknown	related-to	T1134	Access Token Manipulation
action.hacking.variety.Use of stolen creds	Use of stolen or default authentication credentials (including credential stuffing)	related-to	T1134	Access Token Manipulation

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1134	Access Token Manipulation	Comments This control can detect when commands associated with this technique are executed, such as runas. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines
defender_for_app_service	Microsoft Defender for Cloud: Defender for App Service	technique_scores	T1134	Access Token Manipulation	Comments This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this technique via the Invoke-TokenManipulation module on Windows, but does not address other procedures or platforms, and temporal factor is unknown, resulting in a Minimal score. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction https://azure.microsoft.com/en-us/services/app-service/ https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1134	Access Token Manipulation	Comments Google Security Ops is able to trigger an alert based on modifications to user access controls. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/sysmon/suspicious_command_line_contains_azure_tokencache_dat_as_argument__via_cmdline.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1134.002	Create Process with Token	13
T1134.001	Token Impersonation/Theft	14
T1134.003	Make and Impersonate Token	15
T1134.005	SID-History Injection	15