Access Token Manipulation: Token Impersonation/Theft (Windows)


Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex).

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBInteractive loginsPlugin ID: 161502
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMIActive sessionPlugin ID: 92373


Microsoft Windows SMB Sessions

Windows Create token object  - Ensure 'Create a token object' is set to 'No One'

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Defense Evasion, Privilege Escalation

Sub-Technique: Impersonation/Theft

Platform: Windows

Products Required:

Tenable Release Date: 2022 Q2