| ID | Name |
|---|---|
| T1134.001 | Token Impersonation/Theft |
| T1134.002 | Create Process with Token |
| T1134.003 | Make and Impersonate Token |
| T1134.004 | Parent PID Spoofing |
| T1134.005 | SID-History Injection |
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function.[1] The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
| ID | Name | Description |
|---|---|---|
| G1043 | BlackByte |
BlackByte constructed a valid authentication token following Microsoft Exchange exploitation to allow for follow-on privileged command execution.[2] |
| S0154 | Cobalt Strike |
Cobalt Strike can make tokens from known credentials.[3] |
| G1016 | FIN13 |
FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.[4] |
| S1060 | Mafalda | |
| S0692 | SILENTTRINITY |
SILENTTRINITY can make tokens from known credentials.[6] |
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. [7] Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.[8] Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command |
| M1018 | User Account Management |
An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0498 | Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows) | AN1375 |
A process creates a brand‑new logon session/token (LogonUser/LsaLogonUser) and then assigns/impersonates it (SetThreadToken/ImpersonateLoggedOnUser) to run actions under that freshly created security context. Chain: (1) suspicious command or script block (e.g., runas /netonly, PowerShell P/Invoke of LogonUser) → (2) ETW/API evidence of LogonUser/SetThreadToken → (3) Security 4624 New Logon (often LogonType=9 NewCredentials or 2/3 from a non‑interactive parent) with no interactive desktop → (4) sysmon 1 process(es) executing with the new LogonId/SID different from the parent process → (5) optional privileged ops/lateral movement. |