T1134.003SubTechniquedefense-evasionprivilege-escalationagent-callable

T1134.003Make and Impersonate Token

Sub-technique of T1134

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. This behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.

ATT&CK tactics· 2

Defense EvasionPrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1134/003
  2. https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.