Token Impersonation
What is Token Impersonation?
Token ImpersonationA Windows privilege-escalation technique (MITRE ATT&CK T1134) where an attacker duplicates an existing access token and uses it to run code in another user's security context.
Token impersonation abuses the Windows token model — every thread can carry an access token that defines who it acts as. Using APIs like OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser (or SetThreadToken), an attacker with sufficient privilege (typically SeImpersonatePrivilege, SeAssignPrimaryToken, or SeDebugPrivilege) can steal a higher-privileged token — for example a SYSTEM token belonging to services.exe — and spawn a new process as that user. Frameworks such as Cobalt Strike's steal_token, Metasploit's incognito module, and Mimikatz token::elevate automate the technique. ATT&CK tracks it under T1134 Access Token Manipulation with sub-techniques for Make and Impersonate Token, Create Process with Token, and Parent PID Spoofing. Detection focuses on Sysmon Event 1/10 anomalies and 4673/4624 logon-with-token-id correlation.
● Examples
- 01
Using Cobalt Strike's steal_token on a process running as SYSTEM to spawn cmd.exe as NT AUTHORITY\SYSTEM.
- 02
Running Mimikatz token::elevate to impersonate the LSASS token after gaining SeDebugPrivilege.
● Frequently asked questions
What is Token Impersonation?
A Windows privilege-escalation technique (MITRE ATT&CK T1134) where an attacker duplicates an existing access token and uses it to run code in another user's security context. It belongs to the Identity & Access category of cybersecurity.
What does Token Impersonation mean?
A Windows privilege-escalation technique (MITRE ATT&CK T1134) where an attacker duplicates an existing access token and uses it to run code in another user's security context.
How does Token Impersonation work?
Token impersonation abuses the Windows token model — every thread can carry an access token that defines who it acts as. Using APIs like OpenProcessToken, DuplicateTokenEx, and ImpersonateLoggedOnUser (or SetThreadToken), an attacker with sufficient privilege (typically SeImpersonatePrivilege, SeAssignPrimaryToken, or SeDebugPrivilege) can steal a higher-privileged token — for example a SYSTEM token belonging to services.exe — and spawn a new process as that user. Frameworks such as Cobalt Strike's steal_token, Metasploit's incognito module, and Mimikatz token::elevate automate the technique. ATT&CK tracks it under T1134 Access Token Manipulation with sub-techniques for Make and Impersonate Token, Create Process with Token, and Parent PID Spoofing. Detection focuses on Sysmon Event 1/10 anomalies and 4673/4624 logon-with-token-id correlation.
How do you defend against Token Impersonation?
Defences for Token Impersonation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Token Impersonation?
Common alternative names include: access token manipulation, T1134.
● Related terms
- identity-access№ 1002
SeDebugPrivilege
A powerful Windows user-right that lets a holder open, read, and modify the memory of any process — including LSASS — making it a prime target for attackers seeking credential theft.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- identity-access№ 1194
User Account Control (UAC)
A Windows security feature introduced in Vista that runs interactive sessions with a limited token and prompts for consent or credentials before an administrative action elevates.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.