T1134: T1134
Essential information
- MITRE technique ID
T1134- Confidence
- 100/100
- Revoked
- No
- Published
- 14/12/2017 17:46
- Modified
- 27/03/2026 01:12
- Author / Source
- The MITRE Corporation
Aliases
Access Token Manipulation
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
| mitre-attack | privilege-escalation |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (54)
-
Ink Dragon relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Intelbroker relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
KONNI relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Khmer Shadow relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Kinsing relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Larva-24010 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lunar Spider relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Mallox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Naikon relatedThe MITRE Corporation Confidence 100
[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (79)
-
ModuleInstaller usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SampleCheck5000 usesFamily The MITRE Corporation Confidence 100
[SampleCheck5000](https://attack.mitre.org/software/S1168) is a downloader with multiple variants that was used by [OilRig](https://attack.mitre.org/groups/G0049) including during the [Outer Space](https://attack.mitre.org/campaigns/C0042) campaign to download and execute additional payloads. (Citation: ESET OilRig Campaigns…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Havoc usesThe MITRE Corporation Confidence 100
[Havoc](https://attack.mitre.org/software/S1229) is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it…
First seen 01/01/1970 · Last seen 16/11/5138 · -
KimJongRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Thoper usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlackBasta usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BlackMatter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Meduza usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Demon usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AppleChris usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
"Ghost" Code Phishing Analysis relatedAlienVault Confidence 100 20 MITREs 1 Malware
-
AlienVault Confidence 100 18 MITREs 3 Malwares 8 IOCs 8 Observables 1 APT
-
19 MITREs 5 Observables
-
19 MITREs 2 Malwares 2 Observables 1 APT
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
AlienVault Confidence 100 20 MITREs 3 IOCs 3 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 4 Malwares 4 IOCs 4 Observables
-
AlienVault Confidence 100 20 MITREs 23 IOCs 23 Observables
-
19 MITREs 2 Malwares 3 Observables
-
AlienVault Confidence 100 17 MITREs 1 Malware 1 IOC 1 Observable
-
1 CVE 19 MITREs 3 Malwares 2 Observables
-
AlienVault Confidence 100 20 MITREs 3 Malwares 2 IOCs 2 Observables 1 APT
Vulnerabilities (CVE) (59)
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 11/04/2022
- Modified
- 20/12/2025
Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.
- Attack vector
- Local
- Complexity
- Low
- Published
- 15/11/2017
- Modified
- 29/05/2026
Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a …
- Published
- 16/01/2024
- Modified
- 21/12/2025
targets
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 …
- Published
- 11/03/2015
- Modified
- 07/05/2026
Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service (DoS).
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 09/08/2017
- Modified
- 22/04/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.
- Published
- 14/04/2022
- Modified
- 20/12/2025
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing …
- Attack vector
- Adjacent
- Complexity
- Low
- Published
- 24/02/2021
- Modified
- 03/06/2026
Course Of Action (1)
-
User Account Management mitigates