Description
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network serv
User Account ManagementM1018
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) constructed a valid authentication token following Microsoft Exchange exploitation to allow for fol... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has utilized tools such as Incognito V2 for token manipulation and impersonation.(Citation: Sygnia Elep... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1060 | Mafalda | Malware | [Mafalda](https://attack.mitre.org/software/S1060) can create a token for a different user.(Citation: SentinelLabs Metador Technical Appendix Sept 202... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can make tokens from known credentials.(Citation: Github_SILENTTRINITY) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can make tokens from known credentials.(Citation: cobaltstrike manual) |
References
Frequently Asked Questions
What is T1134.003 (Make and Impersonate Token)?
T1134.003 is a MITRE ATT&CK technique named 'Make and Impersonate Token'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the sy...
How can T1134.003 be detected?
Detection of T1134.003 (Make and Impersonate Token) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1134.003?
There are 2 documented mitigations for T1134.003. Key mitigations include: Privileged Account Management, User Account Management.
Which threat groups use T1134.003?
Known threat groups using T1134.003 include: BlackByte, FIN13.