| ID | Name |
|---|---|
| ATAGS-T1079.001 | Create Process with Token |
| ATAGS-T1079.002 | Make and Impersonate Token |
| ATAGS-T1079.003 | Parent PID Spoofing |
| ATAGS-T1079.004 | SID-History Injection |
| ATAGS-T1079.005 | Token Impersonation/Theft |
Threat Actors may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if Threat Actors has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the LogonUser function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.