EXPLORE
Sign In
← Back to Explore
T1134.001

Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [T...

Windows
20
Detections
3
Sources
2
Threat Actors

BY SOURCE

9sigma7elastic4splunk_escu

PROCEDURES (13)

Credential2 detections

Auto-extracted: 2 detections for credential

Remote2 detections

Auto-extracted: 2 detections for remote

Named Pipe2 detections

Auto-extracted: 2 detections for named pipe

Api2 detections

Auto-extracted: 2 detections for api

Service2 detections

Auto-extracted: 2 detections for service

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Token2 detections

Auto-extracted: 2 detections for token

Service1 detections

Auto-extracted: 1 detections for service

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Privilege1 detections

Auto-extracted: 1 detections for privilege

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (2)

APT28FIN8

DETECTIONS (20)

First Time Seen NewCredentials Logon Process
elasticmedium
HackTool - Impersonate Execution
sigmamedium
HackTool - Koh Default Named Pipe
sigmacritical
HackTool - NoFilter Execution
sigmahigh
HackTool - SharpDPAPI Execution
sigmahigh
HackTool - SharpImpersonation Execution
sigmahigh
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
sigmahigh
Meterpreter or Cobalt Strike Getsystem Service Installation - System
sigmahigh
Permission Theft - Detected - Elastic Endgame
elastichigh
Permission Theft - Prevented - Elastic Endgame
elasticmedium
Potential Access Token Abuse
sigmamedium
Potential Meterpreter/CobaltStrike Activity
sigmahigh
PowerShell Script with Token Impersonation Capabilities
elasticmedium
Privilege Escalation via Named Pipe Impersonation
elastichigh
Privilege Escalation via Rogue Named Pipe Impersonation
elastichigh
Process Created with a Duplicated Token
elasticmedium
Runas Execution in CommandLine
splunk_escu
Windows Access Token Manipulation Winlogon Duplicate Token Handle
splunk_escu
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
splunk_escu
Windows Handle Duplication in Known UAC-Bypass Binaries
splunk_escu