| ID | Name |
|---|---|
| T1134.001 | Token Impersonation/Theft |
| T1134.002 | Create Process with Token |
| T1134.003 | Make and Impersonate Token |
| T1134.004 | Parent PID Spoofing |
| T1134.005 | SID-History Injection |
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[1] |
| S0456 | Aria-body |
Aria-body has the ability to duplicate a token from ntprint.exe.[2] |
| S0570 | BitPaymer |
BitPaymer can use the tokens of users to create processes on infected systems.[3] |
| S0154 | Cobalt Strike |
Cobalt Strike can steal access tokens from exiting processes.[4][5] |
| G0061 | FIN8 |
FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.[6] |
| S0182 | FinFisher |
FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[7][8] |
| S0439 | Okrum |
Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[9] |
| S0192 | Pupy |
Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[10] |
| S0496 | REvil |
REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[11] |
| S0140 | Shamoon |
Shamoon can impersonate tokens using |
| S0692 | SILENTTRINITY |
SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.[13] |
| S0623 | Siloscape |
Siloscape impersonates the main thread of |
| S0603 | Stuxnet |
Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.[15] |
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [16] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[17] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
| M1018 | User Account Management |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | OS API Execution |
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[19]
Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.