T1134: T1134
Essential information
- MITRE technique ID
T1134- Confidence
- 100/100
- Revoked
- No
- Published
- 14/12/2017 17:46
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Access Token Manipulation
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (54)
-
Ink Dragon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Intelbroker relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Khmer Shadow relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Kinsing relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Larva-24010 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lunar Spider relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mallox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Naikon relatedThe MITRE Corporation Confidence 100
[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (79)
-
Lamberts usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RisePro Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UPPERCUT - S0275 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hijackloader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rhadamanthys usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hive usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
OilBooster usesFamily The MITRE Corporation Confidence 100
[OilBooster](https://attack.mitre.org/software/S1172) is a downloader written in Microsoft Visual C/C++ that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
KONNI usesFamily The MITRE Corporation Confidence 100
[KONNI](https://attack.mitre.org/software/S0356) is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MuddyWater usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CreepySnail usesFamily The MITRE Corporation Confidence 100
[CreepySnail](https://attack.mitre.org/software/S1024) is a custom PowerShell implant that has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least 2022.(Citation: Microsoft POLONIUM June 2022)
First seen 01/01/1970 · Last seen 16/11/5138 · -
GrimPlant usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TesseractStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
"Ghost" Code Phishing Analysis relatedAlienVault Confidence 100 20 MITREs 1 Malware
-
AlienVault Confidence 100 18 MITREs 3 Malwares 8 IOCs 8 Observables 1 APT
-
19 MITREs 5 Observables
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 4 Malwares 4 IOCs 4 Observables
-
AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables
-
19 MITREs 2 Malwares 3 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
1 CVE 19 MITREs 3 Malwares 2 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 2 IOCs 2 Observables 1 APT
Vulnerabilities (CVE) (59)
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via …
- Published
- 07/04/2023
- Modified
- 21/12/2025
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.
- Published
- 15/04/2022
- Modified
- 20/12/2025
A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …
- Attack vector
- Network
- Published
- 05/12/2025
- Modified
- 29/05/2026
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their …
- Attack vector
- Network
- Published
- 14/11/2023
- Modified
- 21/12/2025
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …
- Published
- 16/05/2022
- Modified
- 20/12/2025
Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …
- Attack vector
- Network
- Published
- 12/11/2024
- Modified
- 27/05/2026
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege …
- Attack vector
- ADJACENT_NETWORK
- Published
- 02/02/2021
- Modified
- 20/12/2025
Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …
- Attack vector
- Network
- Published
- 03/11/2021
- Modified
- 18/02/2026
Secure Boot Security Feature Bypass Vulnerability
- Attack vector
- LOCAL
- Published
- 11/01/2022
- Modified
- 20/12/2025
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- Attack vector
- Network
- Published
- 11/03/2025
- Modified
- 27/05/2026
Course Of Action (1)
-
User Account Management mitigates