Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1134.001 | Token Impersonation/Theft |
AC-3 | Access Enforcement | Protects | T1134.001 | Token Impersonation/Theft |
AC-5 | Separation of Duties | Protects | T1134.001 | Token Impersonation/Theft |
AC-6 | Least Privilege | Protects | T1134.001 | Token Impersonation/Theft |
CM-5 | Access Restrictions for Change | Protects | T1134.001 | Token Impersonation/Theft |
CM-6 | Configuration Settings | Protects | T1134.001 | Token Impersonation/Theft |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1134.001 | Token Impersonation/Theft |