Access Token Manipulation: Token Impersonation/Theft, Sub-technique T1134.001 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Access Token Manipulation: Token Impersonation/Theft, Sub-technique T1134.001 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/T1134">Access Token Manipulation</a></li> <li class="breadcrumb-item">Token Impersonation/Theft</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Access Token Manipulation:</span> Token Impersonation/Theft </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Access Token Manipulation (5)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td class="active"> T1134.001 </td> <td class="active"> Token Impersonation/Theft </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1134/002/" class="subtechnique-table-item" data-subtechnique_id="T1134.002"> T1134.002 </a> </td> <td> <a href="/versions/v16/techniques/T1134/002/" class="subtechnique-table-item" data-subtechnique_id="T1134.002"> Create Process with Token </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1134/003/" class="subtechnique-table-item" data-subtechnique_id="T1134.003"> T1134.003 </a> </td> <td> <a href="/versions/v16/techniques/T1134/003/" class="subtechnique-table-item" data-subtechnique_id="T1134.003"> Make and Impersonate Token </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1134/004/" class="subtechnique-table-item" data-subtechnique_id="T1134.004"> T1134.004 </a> </td> <td> <a href="/versions/v16/techniques/T1134/004/" class="subtechnique-table-item" data-subtechnique_id="T1134.004"> Parent PID Spoofing </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1134/005/" class="subtechnique-table-item" data-subtechnique_id="T1134.005"> T1134.005 </a> </td> <td> <a href="/versions/v16/techniques/T1134/005/" class="subtechnique-table-item" data-subtechnique_id="T1134.005"> SID-History Injection </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using <code>DuplicateToken</code> or <code>DuplicateTokenEx</code>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024."data-reference="DuplicateToken function"><sup><a href="https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user's security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.</p><p>An adversary may perform <a href="/versions/v16/techniques/T1134/001">Token Impersonation/Theft</a> when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.</p><p>When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally <a href="/versions/v16/techniques/T1134/002">Create Process with Token</a> using <code>CreateProcessWithTokenW</code> or <code>CreateProcessAsUserW</code>. <a href="/versions/v16/techniques/T1134/001">Token Impersonation/Theft</a> is also distinct from <a href="/versions/v16/techniques/T1134/003">Make and Impersonate Token</a> in that it refers to duplicating an existing token, rather than creating a new one.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1134.001 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/versions/v16/techniques/T1134">T1134</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/versions/v16/tactics/TA0005">Defense Evasion</a>, <a href="/versions/v16/tactics/TA0004">Privilege Escalation</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed: </span>File system access controls, System access controls, Windows User Account Control </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>Jonny Johnson </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>18 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>10 January 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1134.001" href="/versions/v16/techniques/T1134/001/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1134.001" href="/techniques/T1134/001/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v16/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v16/groups/G0007">APT28</a> has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017."data-reference="FireEye Op RussianDoll"><sup><a href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0456"> S0456 </a> </td> <td> <a href="/versions/v16/software/S0456"> Aria-body </a> </td> <td> <p><a href="/versions/v16/software/S0456">Aria-body</a> has the ability to duplicate a token from ntprint.exe.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1081"> S1081 </a> </td> <td> <a href="/versions/v16/software/S1081"> BADHATCH </a> </td> <td> <p><a href="/versions/v16/software/S1081">BADHATCH</a> can impersonate a <code>lsass.exe</code> or <code>vmtoolsd.exe</code> token.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021."data-reference="BitDefender BADHATCH Mar 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0570"> S0570 </a> </td> <td> <a href="/versions/v16/software/S0570"> BitPaymer </a> </td> <td> <p><a href="/versions/v16/software/S0570">BitPaymer</a> can use the tokens of users to create processes on infected systems.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018"><sup><a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v16/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v16/software/S0154">Cobalt Strike</a> can steal access tokens from exiting processes.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017."data-reference="cobaltstrike manual"><sup><a href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020"><sup><a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v16/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v16/software/S0367">Emotet</a> has the ability to duplicate the user’s token.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023."data-reference="Binary Defense Emotes Wi-Fi Spreader"><sup><a href="https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span> For example, <a href="/versions/v16/software/S0367">Emotet</a> may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024."data-reference="emotet_hc3_nov2023"><sup><a href="https://www.hhs.gov/sites/default/files/emotet-the-enduring-and-persistent-threat-to-the-hph-tlpclear.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v16/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v16/groups/G0061">FIN8</a> has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021."data-reference="Bitdefender FIN8 July 2021"><sup><a href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023."data-reference="Symantec FIN8 Jul 2023"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0182"> S0182 </a> </td> <td> <a href="/versions/v16/software/S0182"> FinFisher </a> </td> <td> <p><a href="/versions/v16/software/S0182">FinFisher</a> uses token manipulation with NtFilterToken as part of UAC bypass.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="FinFisher. (n.d.). Retrieved September 12, 2024."data-reference="FinFisher Citation"><sup><a href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018."data-reference="Microsoft FinFisher March 2018"><sup><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0038"> C0038 </a> </td> <td> <a href="/versions/v16/campaigns/C0038"> HomeLand Justice </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors used custom tooling to acquire tokens using <code>ImpersonateLoggedOnUser/SetThreadToken</code>.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022"><sup><a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v16/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v16/software/S0439">Okrum</a> can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0192"> S0192 </a> </td> <td> <a href="/versions/v16/software/S0192"> Pupy </a> </td> <td> <p><a href="/versions/v16/software/S0192">Pupy</a> can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Nicolas Verdier. (n.d.). Retrieved January 29, 2018."data-reference="GitHub Pupy"><sup><a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v16/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v16/software/S0496">REvil</a> can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020."data-reference="McAfee Sodinokibi October 2019"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v16/software/S0140"> Shamoon </a> </td> <td> <p><a href="/versions/v16/software/S0140">Shamoon</a> can impersonate tokens using <code>LogonUser</code>, <code>ImpersonateLoggedOnUser</code>, and <code>ImpersonateNamedPipeClient</code>.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."data-reference="McAfee Shamoon December 2018"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0692"> S0692 </a> </td> <td> <a href="/versions/v16/software/S0692"> SILENTTRINITY </a> </td> <td> <p><a href="/versions/v16/software/S0692">SILENTTRINITY</a> can find a process owned by a specific user and impersonate the associated token.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><sup><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0623"> S0623 </a> </td> <td> <a href="/versions/v16/software/S0623"> Siloscape </a> </td> <td> <p><a href="/versions/v16/software/S0623">Siloscape</a> impersonates the main thread of <code>CExecSvc.exe</code> by calling <code>NtImpersonateThread</code>.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021."data-reference="Unit 42 Siloscape Jun 2021"><sup><a href="https://unit42.paloaltonetworks.com/siloscape/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0603"> S0603 </a> </td> <td> <a href="/versions/v16/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/versions/v16/software/S0603">Stuxnet</a> attempts to impersonate an anonymous token to enumerate bindings in the service control manager.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011"><sup><a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1011"> S1011 </a> </td> <td> <a href="/versions/v16/software/S1011"> Tarrask </a> </td> <td> <p><a href="/versions/v16/software/S1011">Tarrask</a> leverages token theft to obtain <code>lsass.exe</code> security permissions.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022."data-reference="Tarrask scheduled task"><sup><a href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span> </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M1026"> M1026 </a> </td> <td> <a href="/versions/v16/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017."data-reference="Microsoft Create Token"><sup><a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span> Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017."data-reference="Microsoft Replace Process Token"><sup><a href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p><p>Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017."data-reference="Microsoft runas"><sup><a href="https://technet.microsoft.com/en-us/library/bb490994.aspx" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1018"> M1018 </a> </td> <td> <a href="/versions/v16/mitigations/M1018"> User Account Management </a> </td> <td> <p>An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v16/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017."data-reference="Microsoft Command-line Logging"><sup><a href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/versions/v16/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> <p>Monitor for API calls associated with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators, such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken" target="_blank"> Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" target="_blank"> FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank"> Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank"> Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.binarydefense.com/resources/blog/emotet-evolves-with-new-wi-fi-spreader/" target="_blank"> Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.hhs.gov/sites/default/files/emotet-the-enduring-and-persistent-threat-to-the-hph-tlpclear.pdf" target="_blank"> Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank"> Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank"> Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="14.0"> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank"> McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" target="_blank"> Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://unit42.paloaltonetworks.com/siloscape/" target="_blank"> Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank"> Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object" target="_blank"> Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" target="_blank"> Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://technet.microsoft.com/en-us/library/bb490994.aspx" target="_blank"> Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing" target="_blank"> Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script>  <script src="/versions/v16/theme/scripts/resizer.js"></script>  <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Access Token Manipulation: Token Impersonation/Theft, Sub-technique T1134.001 - Enterprise | MITRE ATT&CK®