Access Token Manipulation: Token Impersonation/Theft

Created the Friday 27 January 2023. Updated 1 year, 1 month ago.

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

Technique Identifier

T1134.001

Technique Tags

Defense Evasion Privilege Escalation Token impersonation Token theft DuplicateToken(Ex) ImpersonateLoggedOnUser SetThreadToken APT28

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Access Token Manipulation: Token Impersonation/Theft, Sub-technique T1134.001 - Enterprise | MITRE ATT&CK®