Esc
Make and Impersonate Token - T1134.003
(ATT&CK® Technique)
Definition
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser
function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken
to assign the token to a thread.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1134003["Make and Impersonate Token"] --> |copies| AccessToken["Access Token"]; class T1134003 OffensiveTechniqueNode; class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken"; click T1134003 href "/offensive-technique/attack/T1134.003/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1134003["Make and Impersonate Token"] --> |creates| LoginSession["Login Session"]; class T1134003 OffensiveTechniqueNode; class LoginSession ArtifactNode; click LoginSession href "/dao/artifact/d3f:LoginSession"; click T1134003 href "/offensive-technique/attack/T1134.003/"; click LoginSession href "/dao/artifact/d3f:LoginSession"; T1134003["Make and Impersonate Token"] --> |may-modify| EventLog["Event Log"]; class T1134003 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1134003 href "/offensive-technique/attack/T1134.003/"; click EventLog href "/dao/artifact/d3f:EventLog"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | AccessToken["Access Token"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | may-evict | T1134003["Make and Impersonate Token"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class AccessToken ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] --> | deletes | AccessToken["Access Token"]; CredentialRevocation["Credential Revocation"] -.-> | may-evict | T1134003["Make and Impersonate Token"] ; class CredentialRevocation DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRevocation href "/technique/d3f:CredentialRevocation"; SessionTermination["Session Termination"] --> | deletes | LoginSession["Login Session"]; SessionTermination["Session Termination"] -.-> | may-evict | T1134003["Make and Impersonate Token"] ; class SessionTermination DefensiveTechniqueNode; class LoginSession ArtifactNode; click SessionTermination href "/technique/d3f:SessionTermination"; CredentialRotation["Credential Rotation"] --> | regenerates | AccessToken["Access Token"]; CredentialRotation["Credential Rotation"] -.-> | may-harden | T1134003["Make and Impersonate Token"] ; class CredentialRotation DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; TokenBinding["Token Binding"] --> | strengthens | AccessToken["Access Token"]; TokenBinding["Token Binding"] -.-> | may-harden | T1134003["Make and Impersonate Token"] ; class TokenBinding DefensiveTechniqueNode; class AccessToken ArtifactNode; click TokenBinding href "/technique/d3f:TokenBinding"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | isolates | AccessToken["Access Token"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | may-isolate | T1134003["Make and Impersonate Token"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] --> | restores | AccessToken["Access Token"]; ReissueCredential["Reissue Credential"] -.-> | may-restore | T1134003["Make and Impersonate Token"] ; class ReissueCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | AccessToken["Access Token"]; DecoyUserCredential["Decoy User Credential"] -.-> | may-deceive | T1134003["Make and Impersonate Token"] ; class DecoyUserCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | AccessToken["Access Token"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | may-detect | T1134003["Make and Impersonate Token"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; Multi-factorAuthentication["Multi-factor Authentication"] --> | uses | AccessToken["Access Token"]; Multi-factorAuthentication["Multi-factor Authentication"] -.-> | may-harden | T1134003["Make and Impersonate Token"] ; class Multi-factorAuthentication DefensiveTechniqueNode; class AccessToken ArtifactNode; click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] --> | uses | AccessToken["Access Token"]; Token-basedAuthentication["Token-based Authentication"] -.-> | may-harden | T1134003["Make and Impersonate Token"] ; class Token-basedAuthentication DefensiveTechniqueNode; class AccessToken ArtifactNode; click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; CredentialHardening["Credential Hardening"] --> | hardens | AccessToken["Access Token"]; CredentialHardening["Credential Hardening"] -.-> | may-harden | T1134003["Make and Impersonate Token"] ; class CredentialHardening DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialHardening href "/technique/d3f:CredentialHardening";