T1134: Access Token Manipulation
| View on MITRE ATT&CK | T1134 |
|---|---|
| Tactic(s) | Privilege Escalation, Defense Evasion |
| Associated CAPEC Patterns | Token Impersonation (CAPEC-633) , Exploitation of Trusted Identifiers (CAPEC-21) |
Data from MITRE ATT&CK®:
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)
Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
APT29 Uses WINELOADER to Target German Political Parties
This blog post by Mandiant describes activity by APT29, linked to Russia's SVR, which targeted German political parties with a new backdoor: ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processUser Account Metadata (User Account)
Contextual data about an account, which may include a username, user ID, environmental data, etc.Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Active Directory Object Modification (Active Directory)
Changes made to an active directory object (ex: Windows EID 5163 or 5136)Process Metadata (Process)
Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.