Access Token Manipulation:  Make and Impersonate Token

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.

ID: T1134.003
Sub-technique of:  T1134
Tactic(s): Defense Evasion, Privilege Escalation
Platforms: Windows
Permissions Required: Administrator, User
Data Sources: Command: Command Execution, Process: OS API Execution
Version: 1.0
Created: 18 Feb 2020
Last Modified: 18 Feb 2020

Procedure Examples

Name Description
Cobalt Strike

Cobalt Strike can make tokens from known credentials.(Citation: cobaltstrike manual)

Mitigation Description
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.


If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as LogonUser and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

