T1134: T1134
Essential information
- MITRE technique ID
T1134- Confidence
- 100/100
- Revoked
- No
- Published
- 14/12/2017 17:46
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Access Token Manipulation
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (54)
-
Tycoon Group usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
lynx usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 · -
Jewelbug usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
APT-C-26 (Lazarus) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamTNT usesThe MITRE Corporation Confidence 100
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Shai-Hulud usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Billbug relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Black Hunt relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackBasta relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Blackwood relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (79)
-
HoldingHands usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QRLog usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
StealthWorker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CopperStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SysJoker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Brute Ratel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ryuk - S0446 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ACR Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Turian - S0647 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DRIEDMOAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Azorult usesFamily The MITRE Corporation Confidence 100
[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016. In July 2018,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CmEx usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
"Ghost" Code Phishing Analysis relatedAlienVault Confidence 100 20 MITREs 1 Malware
-
AlienVault Confidence 100 18 MITREs 3 Malwares 8 IOCs 8 Observables 1 APT
-
19 MITREs 5 Observables
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 4 Malwares 4 IOCs 4 Observables
-
AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables
-
19 MITREs 2 Malwares 3 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
1 CVE 19 MITREs 3 Malwares 2 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 2 IOCs 2 Observables 1 APT
Vulnerabilities (CVE) (59)
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …
- Attack vector
- Network
- Complexity
- Low
- Published
- 21/02/2024
- Modified
- 29/04/2026
An issue was discovered in Zimbra Collaboration Suite 8.8 before 8.8.15 Patch 23 and 9.0 before 9.0.0 Patch 16. An XSS vulnerability …
- Attack vector
- NETWORK
- Published
- 02/07/2021
- Modified
- 20/12/2025
Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.
- Attack vector
- Network
- Published
- 13/02/2024
- Modified
- 27/05/2026
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a …
- Published
- 07/04/2023
- Modified
- 21/12/2025
Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure.
- Published
- 31/03/2022
- Modified
- 29/05/2026
A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.
- Published
- 10/01/2022
- Modified
- 20/12/2025
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 19/10/2017
- Modified
- 22/04/2026
Barracuda Email Security Gateway (ESG) appliance contains an improper input validation vulnerability of a user-supplied .tar file, leading to remote command injection.
- Attack vector
- Network
- Published
- 26/05/2023
- Modified
- 21/12/2025
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, …
- Attack vector
- Network
- Published
- 09/07/2024
- Modified
- 21/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Windows Common Log File System Driver Elevation of Privilege Vulnerability
- Attack vector
- LOCAL
- Published
- 13/08/2024
- Modified
- 21/12/2025
Course Of Action (1)
-
User Account Management mitigates