- Tactics
- stealth , Privilege Escalation
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1134.003
Description
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function.(Citation: LogonUserW function) The function will return a copy of the new session’s access token and the adversary can use SetThreadToken to assign the token to a thread.
This behavior is distinct from Token Impersonation/Theft in that this refers to creating a new user token instead of stealing or duplicating an existing one.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth, Privilege Escalation tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1127 — Trusted Developer Utilities Proxy Execution