RSS Feed

Tokens Misuse

Created: 03.06.2023

MITRE: https://attack.mitre.org/techniques/T1134/001/, https://attack.mitre.org/techniques/T1134/, https://attack.mitre.org/techniques/T1134/002/, https://attack.mitre.org/techniques/T1134/003/, https://attack.mitre.org/techniques/T1134/004/, https://attack.mitre.org/techniques/T1134/005/ Actors: https://attack.mitre.org/groups/G0032/


  • Token impersonalisation.
  • runas or CreateProcessWithTokenW to create a process with the rights of another user.
  • spoof parent process ID
  • Windows. SID-history injection. By injecting a fake SID into the SID history of a user account, an attacker can create a new identity with additional access rights without raising any alarms. 🚨 Need elevated privileges. The SID history is stored in the user object’s attribute in the AD database. The attribute is named “SIDHistory” and can be viewed and modified using the Active Directory Users and Computers (ADUC) management console or other AD management tools.


Expand… Something here