Technique on mitre.org

T1134.003: Make and Impersonate Token

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vulnerabilities: PT-CR-1918: CVE_2023_42793_Teamcity_Token_Manipulation: Possible exploitation of vulnerability CVE-2023-42793 in TeamCity. This vulnerability allows attackers to create bearer tokens for any user and manage TeamCity users, agents, and projects. vulnerabilities: PT-CR-2293: CVE_2024_27198_TeamCity_Authentication_Bypass: Exploitation of vulnerability CVE-2024-27198 in TeamCity. The vulnerability allows an attacker to bypass authentication to create a new TeamCity user with administrator permissions or access token for a user. This can be used to remotely execute commands. mitre_attck_privilege_escalation: PT-CR-592: RunAs_Subrule_Login: A user is authenticated as another user mitre_attck_privilege_escalation: PT-CR-468: RunAs_Context_Menu_Subrule_Execute: A process was started using the "Run as different user" context menu in Windows OS mitre_attck_privilege_escalation: PT-CR-864: Token_Manipulation: A privilege escalation operation using tokens is detected mitre_attck_privilege_escalation: PT-CR-462: RunAs_Context_Menu: A user started a process as another user mitre_attck_privilege_escalation: PT-CR-464: RunAs_System_Or_External_Tools: A user started the process as another user or with an account for making outgoing connections hacking_tools: PT-CR-753: Cobalt_Strike_RunAs_Escalate: The "RunAs" command for privilege escalation was executed using Cobalt Strike software

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior, such as LogonUser and SetThreadToken. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior, such as LogonUser and SetThreadToken. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators
DS0017	Command: Command Execution	Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.

Mitigation

ID	M1026	Name	Privileged Account Management	Description	Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas`.

ID	M1018	Name	User Account Management	Description	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

ID	Name	Description
M1026	Privileged Account Management	Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas`.
M1018	User Account Management	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.