T1134.001 Token Impersonation/Theft Mappings

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1134.001 Token Impersonation/Theft
AC-3 Access Enforcement Protects T1134.001 Token Impersonation/Theft
AC-5 Separation of Duties Protects T1134.001 Token Impersonation/Theft
AC-6 Least Privilege Protects T1134.001 Token Impersonation/Theft
CM-5 Access Restrictions for Change Protects T1134.001 Token Impersonation/Theft
CM-6 Configuration Settings Protects T1134.001 Token Impersonation/Theft
IA-2 Identification and Authentication (organizational Users) Protects T1134.001 Token Impersonation/Theft