Skip to content

T1134.001 Token Impersonation/Theft

Adversaries may duplicate then impersonate another user’s token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

Item Value
ID T1134.001
Sub-techniques T1134.001, T1134.002, T1134.003, T1134.004, T1134.005
Tactics TA0005, TA0004
Platforms Windows
Version 1.0
Created 18 February 2020
Last Modified 26 March 2020

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.18
S0456 Aria-body Aria-body has the ability to duplicate a token from ntprint.exe.13
S0570 BitPaymer BitPaymer can use the tokens of users to create processes on infected systems.12
S0154 Cobalt Strike Cobalt Strike can steal access tokens from exiting processes.1617
G0061 FIN8 FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.19
S0182 FinFisher FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.910
S0439 Okrum Okrum can impersonate a logged-on user’s security context using a call to the ImpersonateLoggedOnUser API.7
S0192 Pupy Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.6
S0496 REvil REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.14
S0140 Shamoon Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.15
S0692 SILENTTRINITY SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.5
S0623 Siloscape Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.8
S0603 Stuxnet Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.11

Mitigations

ID Mitigation Description
M1026 Privileged Account Management Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 2 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.3
M1018 User Account Management An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution

References

  1. Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. 

  2. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017. 

  3. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017. 

  4. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017. 

  5. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. 

  6. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  7. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. 

  8. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. 

  9. FinFisher. (n.d.). Retrieved December 20, 2017. 

  10. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  11. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. 

  12. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  13. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  14. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. 

  15. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. 

  16. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. 

  17. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. 

  18. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017. 

  19. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

Back to top