Esc
Access Token Manipulation - T1134
(ATT&CK® Technique)
Definition
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1134["Access Token Manipulation"] --> |copies| AccessToken["Access Token"]; class T1134 OffensiveTechniqueNode;
class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
click T1134 href "/offensive-technique/attack/T1134/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1134["Access Token Manipulation"] --> |creates| LoginSession["Login Session"]; class T1134 OffensiveTechniqueNode;
class LoginSession ArtifactNode; click LoginSession href "/dao/artifact/d3f:LoginSession";
click T1134 href "/offensive-technique/attack/T1134/"; click LoginSession href "/dao/artifact/d3f:LoginSession"; T1134["Access Token Manipulation"] --> |invokes| CreateProcess["Create Process"]; class T1134 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1134 href "/offensive-technique/attack/T1134/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1134["Access Token Manipulation"] --> |may-modify| EventLog["Event Log"]; class T1134 OffensiveTechniqueNode;
class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
click T1134 href "/offensive-technique/attack/T1134/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1134["Access Token Manipulation"] --> |modifies| AccessControlConfiguration["Access Control Configuration"]; class T1134 OffensiveTechniqueNode;
class AccessControlConfiguration ArtifactNode; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration";
click T1134 href "/offensive-technique/attack/T1134/"; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | AccessToken["Access Token"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1134["Access Token Manipulation"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | AccessToken["Access Token"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1134["Access Token Manipulation"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1134["Access Token Manipulation"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1134["Access Token Manipulation"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; CredentialRevocation["Credential Revocation"] -->
| deletes | AccessToken["Access Token"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1134["Access Token Manipulation"] ;
class CredentialRevocation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | AccessToken["Access Token"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1134["Access Token Manipulation"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; SessionTermination["Session Termination"] -->
| deletes | LoginSession["Login Session"];
SessionTermination["Session Termination"] -.->
| may-evict | T1134["Access Token Manipulation"] ;
class SessionTermination DefensiveTechniqueNode;
class LoginSession ArtifactNode;
click SessionTermination href "/technique/d3f:SessionTermination"; TokenBinding["Token Binding"] -->
| strengthens | AccessToken["Access Token"];
TokenBinding["Token Binding"] -.->
| may-harden | T1134["Access Token Manipulation"] ;
class TokenBinding DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; CredentialRotation["Credential Rotation"] -->
| regenerates | AccessToken["Access Token"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1134["Access Token Manipulation"] ;
class CredentialRotation DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | AccessToken["Access Token"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1134["Access Token Manipulation"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | AccessToken["Access Token"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1134["Access Token Manipulation"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | AccessToken["Access Token"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1134["Access Token Manipulation"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1134["Access Token Manipulation"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1134["Access Token Manipulation"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1134["Access Token Manipulation"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1134["Access Token Manipulation"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ReissueCredential["Reissue Credential"] -->
| restores | AccessToken["Access Token"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1134["Access Token Manipulation"] ;
class ReissueCredential DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; RestoreConfiguration["Restore Configuration"] -->
| restores | AccessControlConfiguration["Access Control Configuration"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1134["Access Token Manipulation"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class AccessControlConfiguration ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; CredentialHardening["Credential Hardening"] -->
| hardens | AccessToken["Access Token"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1134["Access Token Manipulation"] ;
class CredentialHardening DefensiveTechniqueNode;
class AccessToken ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening";