Access Token Manipulation: Make and Impersonate Token (T1134.003)
Tactics: Stealth, Privilege Escalation · Platforms: Windows
The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 3 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Access Token Manipulation (T1134).
Overview
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.