Esc
Access Token Manipulation - T1134

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1134["Access Token Manipulation"] --> |invokes| CreateProcess["Create Process"]; class T1134 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1134 href "/offensive-technique/attack/T1134/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1134["Access Token Manipulation"] --> |may-modify| EventLog["Event Log"]; class T1134 OffensiveTechniqueNode;
        class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
        click T1134 href "/offensive-technique/attack/T1134/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1134["Access Token Manipulation"] --> |modifies| AccessControlConfiguration["Access Control Configuration"]; class T1134 OffensiveTechniqueNode;
        class AccessControlConfiguration ArtifactNode; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration";
        click T1134 href "/offensive-technique/attack/T1134/"; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; T1134["Access Token Manipulation"] --> |copies| AccessToken["Access Token"]; class T1134 OffensiveTechniqueNode;
        class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
        click T1134 href "/offensive-technique/attack/T1134/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1134["Access Token Manipulation"] --> |creates| LoginSession["Login Session"]; class T1134 OffensiveTechniqueNode;
        class LoginSession ArtifactNode; click LoginSession href "/dao/artifact/d3f:LoginSession";
        click T1134 href "/offensive-technique/attack/T1134/"; click LoginSession href "/dao/artifact/d3f:LoginSession";                                                                 DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | AccessToken["Access Token"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | May Deceive | T1134["Access Token Manipulation"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential";              DecoySessionToken["Decoy Session Token"] -->
          | spoofs | AccessToken["Access Token"];

          DecoySessionToken["Decoy Session Token"] -.->
            | May Deceive | T1134["Access Token Manipulation"] ;
          class DecoySessionToken DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click DecoySessionToken href "/technique/d3f:DecoySessionToken";              CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | AccessToken["Access Token"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | May Detect | T1134["Access Token Manipulation"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";              SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | May Detect | T1134["Access Token Manipulation"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | May Detect | T1134["Access Token Manipulation"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                           SessionTermination["Session Termination"] -->
          | deletes | LoginSession["Login Session"];

          SessionTermination["Session Termination"] -.->
            | May Evict | T1134["Access Token Manipulation"] ;
          class SessionTermination DefensiveTechniqueNode;
          class LoginSession ArtifactNode;
          click SessionTermination href "/technique/d3f:SessionTermination"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | AccessToken["Access Token"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | May Evict | T1134["Access Token Manipulation"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";           CredentialRevocation["Credential Revocation"] -->
          | deletes | AccessToken["Access Token"];

          CredentialRevocation["Credential Revocation"] -.->
            | May Evict | T1134["Access Token Manipulation"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation";                              CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | restricts | AccessToken["Access Token"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | May Harden | T1134["Access Token Manipulation"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialRotation["Credential Rotation"] -->
          | regenerates | AccessToken["Access Token"];

          CredentialRotation["Credential Rotation"] -.->
            | May Harden | T1134["Access Token Manipulation"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";                           ExecutableAllowlisting["Executable Allowlisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | May Isolate | T1134["Access Token Manipulation"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | restricts | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | May Isolate | T1134["Access Token Manipulation"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";    Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | May Isolate | T1134["Access Token Manipulation"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation";                                                                 ReissueCredential["Reissue Credential"] -->
          | restores | AccessToken["Access Token"];

          ReissueCredential["Reissue Credential"] -.->
            | May Restore | T1134["Access Token Manipulation"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";              RestoreConfiguration["Restore Configuration"] -->
          | restores | AccessControlConfiguration["Access Control Configuration"];

          RestoreConfiguration["Restore Configuration"] -.->
            | May Restore | T1134["Access Token Manipulation"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class AccessControlConfiguration ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";                            MandatoryAccessControl["Mandatory Access Control"] -->
          | restricts | CreateProcess["Create Process"];

          MandatoryAccessControl["Mandatory Access Control"] -.->
            | May Isolate | T1134["Access Token Manipulation"] ;
          class MandatoryAccessControl DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | May Isolate | T1134["Access Token Manipulation"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";
json