T1134.003 Make and Impersonate Token
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session’s access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
| Item | Value |
|---|---|
| ID | T1134.003 |
| Sub-techniques | T1134.001, T1134.002, T1134.003, T1134.004, T1134.005 |
| Tactics | TA0005, TA0004 |
| Platforms | Windows |
| Permissions required | Administrator, User |
| Version | 1.1 |
| Created | 18 February 2020 |
| Last Modified | 11 April 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0154 | Cobalt Strike | Cobalt Strike can make tokens from known credentials.6 |
| S1060 | Mafalda | Mafalda can create a token for a different user.5 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. 2 Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.3 |
| M1018 | User Account Management | An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | OS API Execution |
References
-
Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. ↩
-
Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017. ↩
-
Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017. ↩
-
Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017. ↩
-
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. ↩
-
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. ↩