Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

ID: T1134.001
Sub-technique of:  T1134
Platforms: Windows
Data Sources: Command: Command Execution, Process: OS API Execution
Defense Bypassed: File system access controls, System access controls, Windows User Account Control
Version: 1.0
Created: 18 February 2020
Last Modified: 26 March 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[1]

S0456 Aria-body

Aria-body has the ability to duplicate a token from ntprint.exe.[2]

S0570 BitPaymer

BitPaymer can use the tokens of users to create processes on infected systems.[3]

S0154 Cobalt Strike

Cobalt Strike can steal access tokens from exiting processes.[4]

S0182 FinFisher

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[5][6]

S0439 Okrum

Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[7]

S0192 Pupy

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[8]

S0496 REvil

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[9]

S0140 Shamoon

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.[10]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [11] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[12]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[13]

M1018 User Account Management

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Detection

If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[14]

Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

References