Description
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx.(Citation: DuplicateToken function) The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
Platforms
Mitigations (2)
User Account ManagementM1018
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
Privileged Account ManagementM1026
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network serv
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privi... |
| G0061 | FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitde... |
Associated Software (17)
| ID | Name | Type | Context |
|---|---|---|---|
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(C... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has the ability to duplicate the user’s token.(Citation: Binary Defense Emotes Wi-Fi Spreader) For e... |
| S9033 | Fooder | Malware | [Fooder](https://attack.mitre.org/software/S9033) has used the `DuplicateTokenEx` API to duplicate the token of a specified process, and `CreateProces... |
| S1229 | Havoc | Malware | [Havoc](https://attack.mitre.org/software/S1229) has a module capable of token impersonation.(Citation: Havoc Framework Documentation) |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Ci... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can steal access tokens from exiting processes.(Citation: cobaltstrike manual)(Citation: Coba... |
| S1011 | Tarrask | Malware | [Tarrask](https://attack.mitre.org/software/S1011) leverages token theft to obtain `lsass.exe` security permissions.(Citation: Tarrask scheduled task)... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can find a process owned by a specific user and impersonate the associated token.(Citation: G... |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) can use the tokens of users to create processes on infected systems.(Citation: Crowdstrike Indrik... |
| S0140 | Shamoon | Malware | [Shamoon](https://attack.mitre.org/software/S0140) can impersonate tokens using <code>LogonUser</code>, <code>ImpersonateLoggedOnUser</code>, and <cod... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(... |
| S0456 | Aria-body | Malware | [Aria-body](https://attack.mitre.org/software/S0456) has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020) |
| S0496 | REvil | Malware | [REvil](https://attack.mitre.org/software/S0496) can obtain the token from the user that launched the explorer.exe process to avoid affecting the desk... |
| S9036 | LP-Notes | Malware | [LP-Notes](https://attack.mitre.org/software/S9036) has impersonated the security context of the taskhostw.exe process via the `ImpersonateLoggedOnUse... |
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.(Citation... |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can impersonate a `lsass.exe` or `vmtoolsd.exe` token.(Citation: BitDefender BADHATCH Mar 2021) |
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) impersonates the main thread of <code>CExecSvc.exe</code> by calling <code>NtImpersonateThread</c... |
References
Frequently Asked Questions
What is T1134.001 (Token Impersonation/Theft)?
T1134.001 is a MITRE ATT&CK technique named 'Token Impersonation/Theft'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateTo...
How can T1134.001 be detected?
Detection of T1134.001 (Token Impersonation/Theft) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1134.001?
There are 2 documented mitigations for T1134.001. Key mitigations include: User Account Management, Privileged Account Management.
Which threat groups use T1134.001?
Known threat groups using T1134.001 include: APT28, FIN8.