T1134.001: Token Impersonation/Theft
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_cred_access: PT-CR-1363: Masky_Tool_Usage: The use of the Masky tool is detected. Masky tool is designed to obtain NT hashes and TGT of users working on attacked hosts in order to request certificates on their behalf. hacking_tools: PT-CR-2635: Cobalt_Strike_SpawnAs: Execution of the "SpawnAs" command using Cobalt Strike to spawn a new beacon on the current host as a different user whose credentials were provided hacking_tools: PT-CR-2689: Covenant_Get_System: Privileges were escalated to SYSTEM using the "get_system" command after running a Covenant launcher and obtaining a reverse shell hacking_tools: PT-CR-753: Cobalt_Strike_RunAs_Escalate: The "RunAs" command for privilege escalation was executed using Cobalt Strike software hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. vulnerabilities: PT-CR-829: Certified_Priv_Esc_CVE_2022_26923: The domain privileges were escalated using vulnerability CVE-2022-26923 in Active Directory Certificate Services vulnerabilities: PT-CR-2929: CVE_2024_30085_PrivEsc_CldFlt: Possible exploitation of vulnerability CVE-2024-30085 in Windows Cloud Files Mini Filter Driver. This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges. mitre_attck_privilege_escalation: PT-CR-853: RoguePotato_PrivEsc: Privileges are escalated using the RoguePotato technique mitre_attck_privilege_escalation: PT-CR-864: Token_Manipulation: A privilege escalation operation using tokens is detected mitre_attck_privilege_escalation: PT-CR-1933: GodPotato_PrivEsc: Privilege escalation using the GodPotato technique allows an attacker with the ImpersonatePrivilege privilege to escalate their privileges to the System user. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes. mitre_attck_privilege_escalation: PT-CR-1217: RasMan_Potato: Local escalation of privileges from a service account to SYSTEM using the RasmanPotato technique is detected mitre_attck_privilege_escalation: PT-CR-2615: System_Process_By_Local_Or_Network_Service: A process was started using the "local service" or "network service" account on behalf of user System. This may indicate privilege escalation using the Access Token Manipulation technique. mitre_attck_privilege_escalation: PT-CR-848: Named_Pipe_Impersonation_PrivEsc: Privileges are escalated using the Named Pipe Impersonation technique mitre_attck_privilege_escalation: PT-CR-1212: PrintNotify_Potato: Privileges of a service account are escalated using the PrintNotifyPotato technique
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows. |
|---|
| ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken. |
|---|
Mitigation
| ID | M1018 | Name | User Account Management | Description | An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
|---|
| ID | M1026 | Name | Privileged Account Management | Description | Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
|---|