T1134 Access Token Manipulation Mappings

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)

Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1134 Access Token Manipulation
AC-3 Access Enforcement Protects T1134 Access Token Manipulation
AC-5 Separation of Duties Protects T1134 Access Token Manipulation
AC-6 Least Privilege Protects T1134 Access Token Manipulation
CM-5 Access Restrictions for Change Protects T1134 Access Token Manipulation
CM-6 Configuration Settings Protects T1134 Access Token Manipulation
IA-2 Identification and Authentication (organizational Users) Protects T1134 Access Token Manipulation
azure_sentinel Azure Sentinel technique_scores T1134 Access Token Manipulation
azure_defender_for_app_service Azure Defender for App Service technique_scores T1134 Access Token Manipulation
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1134 Access Token Manipulation

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1134.002 Create Process with Token 8
T1134.003 Make and Impersonate Token 7
T1134.005 SID-History Injection 14
T1134.001 Token Impersonation/Theft 7