Esc
Token Impersonation/Theft - T1134.001
(ATT&CK® Technique)
Definition
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken
or DuplicateTokenEx
. The token can then be used with ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken
to assign the impersonated token to a thread.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1134001["Token Impersonation/Theft"] --> |copies| AccessToken["Access Token"]; class T1134001 OffensiveTechniqueNode; class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken"; click T1134001 href "/offensive-technique/attack/T1134.001/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; TokenBinding["Token Binding"] --> | strengthens | AccessToken["Access Token"]; TokenBinding["Token Binding"] -.-> | may-harden | T1134001["Token Impersonation/Theft"] ; class TokenBinding DefensiveTechniqueNode; class AccessToken ArtifactNode; click TokenBinding href "/technique/d3f:TokenBinding"; Multi-factorAuthentication["Multi-factor Authentication"] --> | uses | AccessToken["Access Token"]; Multi-factorAuthentication["Multi-factor Authentication"] -.-> | may-harden | T1134001["Token Impersonation/Theft"] ; class Multi-factorAuthentication DefensiveTechniqueNode; class AccessToken ArtifactNode; click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] --> | uses | AccessToken["Access Token"]; Token-basedAuthentication["Token-based Authentication"] -.-> | may-harden | T1134001["Token Impersonation/Theft"] ; class Token-basedAuthentication DefensiveTechniqueNode; class AccessToken ArtifactNode; click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | AccessToken["Access Token"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | may-evict | T1134001["Token Impersonation/Theft"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class AccessToken ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] --> | deletes | AccessToken["Access Token"]; CredentialRevocation["Credential Revocation"] -.-> | may-evict | T1134001["Token Impersonation/Theft"] ; class CredentialRevocation DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRevocation href "/technique/d3f:CredentialRevocation"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | AccessToken["Access Token"]; DecoyUserCredential["Decoy User Credential"] -.-> | may-deceive | T1134001["Token Impersonation/Theft"] ; class DecoyUserCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | AccessToken["Access Token"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | may-detect | T1134001["Token Impersonation/Theft"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; CredentialRotation["Credential Rotation"] --> | regenerates | AccessToken["Access Token"]; CredentialRotation["Credential Rotation"] -.-> | may-harden | T1134001["Token Impersonation/Theft"] ; class CredentialRotation DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; CredentialHardening["Credential Hardening"] --> | hardens | AccessToken["Access Token"]; CredentialHardening["Credential Hardening"] -.-> | may-harden | T1134001["Token Impersonation/Theft"] ; class CredentialHardening DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialHardening href "/technique/d3f:CredentialHardening"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | isolates | AccessToken["Access Token"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | may-isolate | T1134001["Token Impersonation/Theft"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] --> | restores | AccessToken["Access Token"]; ReissueCredential["Reissue Credential"] -.-> | may-restore | T1134001["Token Impersonation/Theft"] ; class ReissueCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential";