Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

ID: T1134.001
Sub-technique of:  T1134
Platforms: Windows
Defense Bypassed: File system access controls, System access controls, Windows User Account Control
Contributors: Jonny Johnson
Version: 1.2
Created: 18 February 2020
Last Modified: 29 September 2023

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.[1]

S0456 Aria-body

Aria-body has the ability to duplicate a token from ntprint.exe.[2]

S1081 BADHATCH

BADHATCH can impersonate a lsass.exe or vmtoolsd.exe token.[3]

S0570 BitPaymer

BitPaymer can use the tokens of users to create processes on infected systems.[4]

S0154 Cobalt Strike

Cobalt Strike can steal access tokens from exiting processes.[5][6]

S0367 Emotet

Emotet has the ability to duplicate the user’s token.[7]

G0061 FIN8

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.[8][9]

S0182 FinFisher

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.[10][11]

S0439 Okrum

Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[12]

S0192 Pupy

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.[13]

S0496 REvil

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.[14]

S0140 Shamoon

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.[15]

S0692 SILENTTRINITY

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.[16]

S0623 Siloscape

Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.[17]

S0603 Stuxnet

Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.[18]

S1011 Tarrask

Tarrask leverages token theft to obtain lsass.exe security permissions.[19]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [20] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[21]

Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas.[22]

M1018 User Account Management

An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.[23]

DS0009 Process OS API Execution

Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken.

References