Skip to content

T1134.001 Token Impersonation/Theft

Adversaries may duplicate then impersonate another user’s existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

Item Value
ID T1134.001
Sub-techniques T1134.001, T1134.002, T1134.003, T1134.004, T1134.005
Tactics TA0005, TA0004
Platforms Windows
Version 1.1
Created 18 February 2020
Last Modified 11 April 2023

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.20
S0456 Aria-body Aria-body has the ability to duplicate a token from ntprint.exe.12
S0570 BitPaymer BitPaymer can use the tokens of users to create processes on infected systems.15
S0154 Cobalt Strike Cobalt Strike can steal access tokens from exiting processes.1011
G0061 FIN8 FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.19
S0182 FinFisher FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.1617
S0439 Okrum Okrum can impersonate a logged-on user’s security context using a call to the ImpersonateLoggedOnUser API.9
S0192 Pupy Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.5
S0496 REvil REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.13
S0140 Shamoon Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.8
S0692 SILENTTRINITY SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.6
S0623 Siloscape Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.7
S0603 Stuxnet Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.18
S1011 Tarrask Tarrask leverages token theft to obtain lsass.exe security permissions.14

Mitigations

ID Mitigation Description
M1026 Privileged Account Management Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 2 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.3
M1018 User Account Management An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution

References


  1. Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. 

  2. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017. 

  3. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017. 

  4. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017. 

  5. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  6. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  7. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  8. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. 

  9. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  10. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  11. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  12. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  13. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  14. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. 

  15. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  16. FinFisher. (n.d.). Retrieved December 20, 2017. 

  17. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  18. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  19. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  20. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.