Make and Impersonate Token

Information

• Name: Make and Impersonate Token

• ID: T1134.003

• Tactics: ,

• Technique:

Introduction

The "Make and Impersonate Token" sub-technique (T1134.003) within the MITRE ATT&CK framework refers to adversaries creating or duplicating authentication tokens to impersonate legitimate users or system processes. Attackers leverage this method to escalate privileges, maintain persistence, and move laterally within compromised environments. By generating or manipulating tokens, attackers bypass standard authentication mechanisms, effectively masquerading as authenticated entities and gaining unauthorized access to sensitive resources.

Deep Dive Into Technique

In Windows environments, authentication tokens are security objects created upon successful user authentication. These tokens contain user identity, privileges, and group membership information. Attackers exploit token management functions provided by Windows API to create, duplicate, or impersonate tokens.

Common methods and mechanisms include:

• Token Duplication via Windows API:

  • Using functions like DuplicateTokenEx() or DuplicateToken() to copy existing tokens, granting attackers identical privileges and security context.

  • Tokens may be duplicated from processes running with elevated privileges, allowing attackers to escalate their own privileges.

• Token Creation via LogonUser API:

  • Attackers may use LogonUser() to create new tokens by supplying valid credentials, obtained through credential dumping or brute-force attacks.

• Impersonation via SetThreadToken and ImpersonateLoggedOnUser APIs:

  • Functions such as SetThreadToken() and ImpersonateLoggedOnUser() allow attackers to temporarily assume the security context of another user or process.

• Process Injection and Token Theft:

  • Attackers inject code into privileged processes to steal tokens directly from memory, using tools such as Mimikatz, Metasploit, or custom scripts.

Real-world procedures typically involve:

• Identifying processes running with elevated privileges (e.g., SYSTEM or Administrator).

• Extracting or duplicating tokens from these processes.

• Using stolen or duplicated tokens to execute commands, access resources, or launch privileged processes.

When this Technique is Usually Used

Attackers commonly utilize this sub-technique during various stages of an attack lifecycle, including:

• Privilege Escalation:

  • After initial compromise, attackers duplicate tokens from higher-privileged processes to elevate their privileges.

• Lateral Movement:

  • Attackers impersonate legitimate users or administrators to move laterally across networked systems, accessing additional resources and assets.

• Persistence and Defense Evasion:

  • By using legitimate tokens, attackers blend into normal system behavior, bypassing authentication and authorization controls, thus maintaining long-term persistence.

• Access to Sensitive Resources:

  • Attackers leverage impersonated tokens to access sensitive data, perform reconnaissance, or modify system configurations.

How this Technique is Usually Detected

Detection of token impersonation and creation typically involves monitoring and analyzing system events, process behaviors, and token-related API calls. Effective methods include:

• Monitoring Windows Event Logs:

  • Monitor Security logs for event IDs such as 4624 (logon events), 4672 (special privileges assigned), and 4648 (logon attempts with explicit credentials).

  • Track anomalies or unusual logon patterns, especially logons with elevated privileges or unexpected user contexts.

• Endpoint Detection and Response (EDR) Tools:

  • Utilize EDR solutions to detect suspicious API calls related to token manipulation, such as DuplicateTokenEx(), ImpersonateLoggedOnUser(), or SetThreadToken().

  • Behavioral analysis modules in EDR platforms can identify abnormal token usage patterns or unusual privilege escalations.

• Process Monitoring and Auditing:

  • Monitor processes and threads for unusual token assignments or impersonation activities.

  • Audit tools such as Sysmon can log detailed process creation and privilege assignment events, helping to detect token manipulation.

• Memory Analysis and Forensics:

  • Conduct memory analysis to identify token theft or injection attempts, using forensic tools like Volatility or Rekall.

  • Identify Indicators of Compromise (IoCs) associated with known token manipulation tools (e.g., Mimikatz, Metasploit Meterpreter shellcode).

Specific Indicators of Compromise (IoCs):

• Unusual or unexpected privileged logins.

• Processes executing under unexpected user contexts.

• API calls associated with impersonation or token duplication appearing in unusual contexts.

• Presence of known token manipulation tools or scripts (e.g., Mimikatz binaries, PowerShell scripts invoking token APIs).

Why it is Important to Detect This Technique

Detecting token impersonation and creation is crucial due to its significant impact on organizational security:

• Privilege Escalation Risks:

  • Attackers gain elevated privileges, potentially allowing unrestricted access to sensitive data and systems.

• Credential Theft and Abuse:

  • Impersonation of legitimate users facilitates credential theft, lateral movement, and unauthorized access to critical assets.

• Persistence and Stealth:

  • Attackers employing token impersonation techniques can remain hidden within systems, evading traditional authentication-based security controls and detection mechanisms.

• Data Exfiltration and Sabotage:

  • Unauthorized access to sensitive resources and data can lead to data breaches, intellectual property theft, destruction of data, or sabotage of critical infrastructure.

Early detection can significantly reduce the potential damage by:

• Limiting the attacker's ability to escalate privileges or move laterally.

• Providing security teams with timely alerts to respond and mitigate threats rapidly.

• Minimizing the overall impact on organizational operations, reputation, and compliance posture.

Examples

Real-world examples and attack scenarios involving the "Make and Impersonate Token" sub-technique include:

• APT29 (Cozy Bear):

  • Known for leveraging stolen tokens and impersonation techniques to escalate privileges and move laterally within compromised environments.

  • Utilized Mimikatz and custom scripts to duplicate tokens from privileged processes, enabling persistent access and data exfiltration.

• FIN6 Group Attacks:

  • FIN6 attackers have been observed using token impersonation techniques to escalate privileges and access sensitive financial data.

  • Attackers leveraged Metasploit Meterpreter payloads to steal tokens from memory, impersonating legitimate administrator accounts.

• Ryuk Ransomware Attacks:

  • Ryuk ransomware operators employed token impersonation to escalate privileges and propagate ransomware across organizational networks.

  • Attackers duplicated tokens from privileged processes, enabling lateral movement and widespread encryption of critical resources.

Tools commonly used in real-world scenarios:

• Mimikatz:

  • Widely used tool for token manipulation, credential theft, and privilege escalation.

• Metasploit Framework (Meterpreter):

  • Provides built-in modules for token stealing, impersonation, and privilege escalation.

• PowerSploit Framework (Invoke-TokenManipulation):

  • PowerShell-based scripts enabling attackers to duplicate, create, and impersonate tokens in Windows environments.

Impacts observed in real-world attacks:

• Unauthorized access and compromise of sensitive data and intellectual property.

• Persistent attacker presence, stealthily maintaining control over compromised systems and networks.

• Extensive lateral movement, enabling attackers to compromise multiple systems and escalate privileges rapidly.

• Significant financial and operational damage due to data breaches, ransomware attacks, and sabotage of critical assets.