Access Token Manipulation (T1134)

View on ATT&CK

In Playbook

Associated Tactics

  • Defense Evasion
  • Privilege Escalation

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017. BlackHat Atkinson Winchester Token Manipulation
Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017. Microsoft Command-line Logging
Microsoft TechNet. (n.d.). Retrieved April 25, 2017. Microsoft LogonUser
Microsoft TechNet. (n.d.). Retrieved April 25, 2017. Microsoft DuplicateTokenEx
Microsoft TechNet. (n.d.). Retrieved April 25, 2017. Microsoft ImpersonateLoggedOnUser
netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017. Pentestlab Token Manipulation