Show in Graph
Common Information
Type Value
Value 
Token Impersonation/Theft - T1134.001
Category Attack-Pattern
Type Mitre-Attack-Pattern
Misp Type Cluster
Description Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.
Details Published Attributes CTI Title
Details Website 2024-06-25 47 How to detect the modular RAT CSHARP-STREAMER
Details Website 2023-12-12 31 Optiv’s gTIC Prioritized Software and Services List + MITRE Tactics Part V: VMware Software and Products
Details Website 2023-12-06 198 Russia/Ukraine Update - December 2023
Details Website 2023-08-28 42 Kaspersky Lab’s technical analysis of Lockbit v3 Builder
Details Website 2023-08-25 195 Russia/Ukraine Update - August 2023
Details Website 2023-08-17 84 Scattered Spider: The Modus Operandi
Details Website 2023-08-01 33 The Double Extortion Group, 8Base
Details Website 2023-05-22 141 IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report
Details Website 2023-05-10 7 Making Waves: TTP Intelligence Highlights in April
Details Website 2023-04-03 228 Malicious ISO File Leads to Domain Wide Ransomware - The DFIR Report
Details Website 2023-04-03 26 ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access | Mandiant
Details Website 2023-03-02 199 Russia/Ukraine Update - February 2023
Details Website 2023-02-27 19 Twice around the dance floor - Elastic discovers the PIPEDANCE backdoor — Elastic Security Labs
Details Website 2023-01-09 30 Dark Web Profile: Royal Ransomware - SOCRadar
Details Website 2022-12-20 133 Russia/Ukraine Update - December 2022
Details Website 2022-12-08 76 CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs
Details Website 2022-11-29 132 Russia/Ukraine Update - November 2022
Details Website 2022-07-20 120 Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea)
Details Website 2022-06-02 99 To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions | Mandiant
Details Website 2022-06-02 63 LockBit 3.0 Ransomware Unlocked
Details Website 2022-06-02 29 8Base Ransomware: A Heavy Hitting Player
Details Website 2022-04-28 128 Tracking APT29 Phishing Campaigns | Atlassian Trello
Details Website 2022-04-27 57 UNC2452 Merged into APT29 | Russia-Based Espionage Group
Details Website 2022-02-23 314 (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware | Mandiant
Details Website 2021-08-20 43 New variant of Konni malware used in campaign targetting Russia