MITRE ATT&CK Technique
Description
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation) Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may modify access tokens to operate under a '
'different user or system security context to perform actions '
'and bypass access controls. Windows uses access tokens to '
'determine the ownership of a running process. A user can '
'manipulate access tokens to make a running process appear as '
'though it is the child of a different process or belongs to '
'someone other than the user that started the process. When '
'this occurs, the process also takes on the security context '
'associated with the new token.\n'
'\n'
'An adversary can use built-in Windows API functions to copy '
'access tokens from existing processes; this is known as token '
'stealing. These token can then be applied to an existing '
'process (i.e. [Token '
'Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) '
'or used to spawn a new process (i.e. [Create Process with '
'Token](https://attack.mitre.org/techniques/T1134/002)). An '
'adversary must already be in a privileged user context (i.e. '
'administrator) to steal a token. However, adversaries '
'commonly use token stealing to elevate their security context '
'from the administrator level to the SYSTEM level. An '
'adversary can then use a token to authenticate to a remote '
'system as the account for that token if the account has '
'appropriate permissions on the remote system.(Citation: '
'Pentestlab Token Manipulation)\n'
'\n'
'Any standard user can use the <code>runas</code> command, and '
'the Windows API functions, to create impersonation tokens; it '
'does not require access to an administrator account. There '
'are also other mechanisms, such as Active Directory fields, '
'that can be used to modify access tokens.',
'external_references': [{'external_id': 'T1134',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1134'},
{'description': 'Atkinson, J., Winchester, R. (2017, '
'December 7). A Process is No One: '
'Hunting for Token Manipulation. '
'Retrieved December 21, 2017.',
'source_name': 'BlackHat Atkinson Winchester Token '
'Manipulation',
'url': 'https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf'},
{'description': 'Mathers, B. (2017, March 7). Command '
'line process auditing. Retrieved '
'April 21, 2017.',
'source_name': 'Microsoft Command-line Logging',
'url': 'https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing'},
{'description': 'Microsoft TechNet. (n.d.). Retrieved '
'April 25, 2017.',
'source_name': 'Microsoft LogonUser',
'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx'},
{'description': 'Microsoft TechNet. (n.d.). Retrieved '
'April 25, 2017.',
'source_name': 'Microsoft DuplicateTokenEx',
'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx'},
{'description': 'Microsoft TechNet. (n.d.). Retrieved '
'April 25, 2017.',
'source_name': 'Microsoft ImpersonateLoggedOnUser',
'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx'},
{'description': 'netbiosX. (2017, April 3). Token '
'Manipulation. Retrieved April 21, '
'2017.',
'source_name': 'Pentestlab Token Manipulation',
'url': 'https://pentestlab.blog/2017/04/03/token-manipulation/'}],
'id': 'attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:29.051Z',
'name': 'Access Token Manipulation',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Tom Ueltschi @c_APT_ure',
'Travis Smith, Tripwire',
'Robby Winchester, @robwinchester3',
'Jared Atkinson, @jaredcatkinson'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}