Esc
Access Token Manipulation - T1134
(ATT&CK® Technique)
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1134["Access Token Manipulation"] --> |copies| AccessToken["Access Token"]; class T1134 OffensiveTechniqueNode; class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken"; click T1134 href "/offensive-technique/attack/T1134/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1134["Access Token Manipulation"] --> |creates| LoginSession["Login Session"]; class T1134 OffensiveTechniqueNode; class LoginSession ArtifactNode; click LoginSession href "/dao/artifact/d3f:LoginSession"; click T1134 href "/offensive-technique/attack/T1134/"; click LoginSession href "/dao/artifact/d3f:LoginSession"; T1134["Access Token Manipulation"] --> |invokes| CreateProcess["Create Process"]; class T1134 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1134 href "/offensive-technique/attack/T1134/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1134["Access Token Manipulation"] --> |may-modify| EventLog["Event Log"]; class T1134 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1134 href "/offensive-technique/attack/T1134/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1134["Access Token Manipulation"] --> |modifies| AccessControlConfiguration["Access Control Configuration"]; class T1134 OffensiveTechniqueNode; class AccessControlConfiguration ArtifactNode; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; click T1134 href "/offensive-technique/attack/T1134/"; click AccessControlConfiguration href "/dao/artifact/d3f:AccessControlConfiguration"; DecoySessionToken["Decoy Session Token"] --> | spoofs | AccessToken["Access Token"]; DecoySessionToken["Decoy Session Token"] -.-> | May Deceive | T1134["Access Token Manipulation"] ; class DecoySessionToken DefensiveTechniqueNode; class AccessToken ArtifactNode; click DecoySessionToken href "/technique/d3f:DecoySessionToken"; DecoyUserCredential["Decoy User Credential"] --> | spoofs | AccessToken["Access Token"]; DecoyUserCredential["Decoy User Credential"] -.-> | May Deceive | T1134["Access Token Manipulation"] ; class DecoyUserCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1134["Access Token Manipulation"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1134["Access Token Manipulation"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] --> | analyzes | AccessToken["Access Token"]; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.-> | May Detect | T1134["Access Token Manipulation"] ; class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; CredentialRevoking["Credential Revoking"] --> | deletes | AccessToken["Access Token"]; CredentialRevoking["Credential Revoking"] -.-> | May Evict | T1134["Access Token Manipulation"] ; class CredentialRevoking DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRevoking href "/technique/d3f:CredentialRevoking"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] --> | deletes | AccessToken["Access Token"]; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.-> | May Evict | T1134["Access Token Manipulation"] ; class AuthenticationCacheInvalidation DefensiveTechniqueNode; class AccessToken ArtifactNode; click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialTransmissionScoping["Credential Transmission Scoping"] --> | restricts | AccessToken["Access Token"]; CredentialTransmissionScoping["Credential Transmission Scoping"] -.-> | May Harden | T1134["Access Token Manipulation"] ; class CredentialTransmissionScoping DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialRotation["Credential Rotation"] --> | regenerates | AccessToken["Access Token"]; CredentialRotation["Credential Rotation"] -.-> | May Harden | T1134["Access Token Manipulation"] ; class CredentialRotation DefensiveTechniqueNode; class AccessToken ArtifactNode; click CredentialRotation href "/technique/d3f:CredentialRotation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1134["Access Token Manipulation"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1134["Access Token Manipulation"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1134["Access Token Manipulation"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ReissueCredential["Reissue Credential"] --> | restores | AccessToken["Access Token"]; ReissueCredential["Reissue Credential"] -.-> | May Restore | T1134["Access Token Manipulation"] ; class ReissueCredential DefensiveTechniqueNode; class AccessToken ArtifactNode; click ReissueCredential href "/technique/d3f:ReissueCredential"; RestoreConfiguration["Restore Configuration"] --> | restores | AccessControlConfiguration["Access Control Configuration"]; RestoreConfiguration["Restore Configuration"] -.-> | May Restore | T1134["Access Token Manipulation"] ; class RestoreConfiguration DefensiveTechniqueNode; class AccessControlConfiguration ArtifactNode; click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1134["Access Token Manipulation"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1134["Access Token Manipulation"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";