Esc

Token Impersonation/Theft - T1134.001

(ATT&CK® Technique)

Definition

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1134001["Token Impersonation/Theft"] --> |copies| AccessToken["Access Token"]; class T1134001 OffensiveTechniqueNode;
        class AccessToken ArtifactNode; click AccessToken href "../../../dao/artifact/d3f:AccessToken";
        click T1134001 href "../../../offensive-technique/attack/T1134.001/"; click AccessToken href "../../../dao/artifact/d3f:AccessToken";             AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | AccessToken["Access Token"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1134001["Token Impersonation/Theft"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click AuthenticationCacheInvalidation href "../../../technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | AccessToken["Access Token"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1134001["Token Impersonation/Theft"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRevocation href "../../../technique/d3f:CredentialRevocation";   CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | AccessToken["Access Token"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1134001["Token Impersonation/Theft"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "../../../technique/d3f:CredentialCompromiseScopeAnalysis";                                    Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | AccessToken["Access Token"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1134001["Token Impersonation/Theft"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Multi-factorAuthentication href "../../../technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
          | uses | AccessToken["Access Token"];

          Token-basedAuthentication["Token-based Authentication"] -.->
            | may-harden | T1134001["Token Impersonation/Theft"] ;
          class Token-basedAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Token-basedAuthentication href "../../../technique/d3f:Token-basedAuthentication";                           ReissueCredential["Reissue Credential"] -->
          | restores | AccessToken["Access Token"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1134001["Token Impersonation/Theft"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click ReissueCredential href "../../../technique/d3f:ReissueCredential"; CredentialRotation["Credential Rotation"] -->
          | regenerates | AccessToken["Access Token"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1134001["Token Impersonation/Theft"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRotation href "../../../technique/d3f:CredentialRotation";                           TokenBinding["Token Binding"] -->
          | strengthens | AccessToken["Access Token"];

          TokenBinding["Token Binding"] -.->
            | may-harden | T1134001["Token Impersonation/Theft"] ;
          class TokenBinding DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click TokenBinding href "../../../technique/d3f:TokenBinding";              DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | AccessToken["Access Token"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1134001["Token Impersonation/Theft"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click DecoyUserCredential href "../../../technique/d3f:DecoyUserCredential";                CredentialHardening["Credential Hardening"] -->
          | hardens | AccessToken["Access Token"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1134001["Token Impersonation/Theft"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialHardening href "../../../technique/d3f:CredentialHardening";              CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | AccessToken["Access Token"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1134001["Token Impersonation/Theft"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialTransmissionScoping href "../../../technique/d3f:CredentialTransmissionScoping";

json