T1134.001 — Token Impersonation/Theft

Technique

T1134.001

Tactics

Stealth, Privilege Escalation

MISP citations

0

KEV CVEs mapped

1

Community rules

9

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1134/001

MITRE description

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-4966

Detection coverage

SigmaHQ community rules

• Potential Access Token Abuse (core)
• HackTool - NoFilter Execution (core)
• Meterpreter or Cobalt Strike Getsystem Service Installation - Security (core)
• Meterpreter or Cobalt Strike Getsystem Service Installation - System (core)
• HackTool - Koh Default Named Pipe (core)
• HackTool - Impersonate Execution (core)
• Potential Meterpreter/CobaltStrike Activity (core)
• HackTool - SharpDPAPI Execution (core)
• HackTool - SharpImpersonation Execution (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.