Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

ID: T1134.001
Sub-technique of:  T1134
Platforms: Windows
Data Sources: Command: Command Execution, Process: OS API Execution
Defense Bypassed: File system access controls, System access controls, Windows User Account Control
Version: 1.0
Created: 18 February 2020
Last Modified: 26 March 2020

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[1]

S0456 Aria-body

Aria-body has the ability to duplicate a token from ntprint.exe.[2]

S0570 BitPaymer

BitPaymer can use the tokens of users to create processes on infected systems.[3]

S0154 Cobalt Strike

Cobalt Strike can steal access tokens from exiting processes.[4]

S0182 FinFisher

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[5][6]

S0439 Okrum

Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[7]

S0192 Pupy

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[8]

S0496 REvil

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[9]

S0140 Shamoon

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.[10]


ID Mitigation Description
M1026 Privileged Account Management

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [11] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[12]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[13]

M1018 User Account Management

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.


If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[14]

Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.