EXPLORE
Sign In
← Back to Explore
T1134.003

Make and Impersonate Token

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread. This behavior is distinct from...

Windows
5
Detections
2
Sources
2
Threat Actors

BY SOURCE

3sigma2elastic

PROCEDURES (3)

Remote2 detections

Auto-extracted: 2 detections for remote

Credential2 detections

Auto-extracted: 2 detections for credential

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (2)

BlackByteFIN13

DETECTIONS (5)

HackTool - Impersonate Execution
sigmamedium
HackTool - SharpDPAPI Execution
sigmahigh
HackTool - SharpImpersonation Execution
sigmahigh
Interactive Logon by an Unusual Process
elastichigh
Process Creation via Secondary Logon
elasticmedium