| ID | Name |
|---|---|
| ATAGS-T1079.001 | Create Process with Token |
| ATAGS-T1079.002 | Make and Impersonate Token |
| ATAGS-T1079.003 | Parent PID Spoofing |
| ATAGS-T1079.004 | SID-History Injection |
| ATAGS-T1079.005 | Token Impersonation/Theft |
Threat Actors may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, Threat Actors can duplicate an existing token using DuplicateToken or DuplicateTokenEx. The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken to assign the impersonated token to a thread.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.