Detections
Analytics
Access Token Manipulation: Token Impersonation/Theft (Windows)
Description
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex).
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Interactive logins | Plugin ID: 161502 |
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Active session | Plugin ID: 92373 |
References
Microsoft Windows SMB Sessions
Windows Create token object - Ensure 'Create a token object' is set to 'No One'
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Defense Evasion, Privilege Escalation
Technique: Access Token Manipulation
Sub-Technique: Impersonation/Theft
Platform: Windows
Products Required: Tenable.io
Tenable Release Date: 2022 Q2