Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1106: Analytic 1106

Token creation or access delegation where a user impersonates a higher-privileged service account or performs domain-wide delegation actions, such as GCP's serviceAccountTokenCreator or Workspace impersonation.

EnterpriseAN1106AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic describes identity-provider activity where a user creates tokens or delegates access in a way that lets them impersonate a higher-privileged service account or perform domain-wide delegation, such as GCP serviceAccountTokenCreator or Workspace impersonation. For leaders, the significance is that control over service-account impersonation can become control over sensitive cloud or workspace operations, so the key question is whether the organization can prove who delegated access, who used it, and whether the delegation was expected.

Executive priority

Prioritize this as an identity and cloud governance issue: privileged delegation paths should be reviewed, logged, and explainable for incident response and audit evidence. Because the ATT&CK object provides no tactic mapping, detection logic, or relationship context, the business decision is not that a specific attack is confirmed, but that identity-provider delegation is a high-value control area where weak visibility can delay containment and privilege review.

Technical view

SOC, identity, and IR teams should validate telemetry around token creation, service-account impersonation, and domain-wide delegation in the identity provider. Focus on whether events identify the requesting user, target service account or delegated identity, granted scope or role, source context, timestamp, and subsequent use of the delegated token. Since no official detection is provided, teams should build local baselines for expected delegation activity and alert on unusual users, privileged target accounts, broad delegation, or activity inconsistent with approved administration workflows.

Likely telemetry

  • Identity provider audit logs for token creation and access delegation
  • Service-account impersonation events, including serviceAccountTokenCreator-style activity where available
  • Workspace or domain-wide delegation audit events where available
  • IAM role or permission assignment/change logs related to impersonation or delegation
  • Authentication/session metadata for the requesting user and delegated identity

Detection direction

  • Confirm that identity-provider logging captures both the actor requesting delegation and the privileged service account or delegated identity being accessed.
  • Baseline normal service-account impersonation and domain-wide delegation patterns, then review deviations involving higher-privileged accounts or uncommon requesters.
  • Correlate delegation events with IAM permission changes and subsequent privileged activity to reduce false positives and support incident triage.
  • Tune for approved automation and administrative workflows, but require evidence that exceptions are documented and periodically reviewed.
  • Account for the main blind spot: ATT&CK provides no official detection logic for AN1106, so local platform logs and identity architecture determine practical coverage.

Mitigation priorities

  • Inventory service accounts and delegated identities that can be impersonated through the identity provider.
  • Review who can create tokens, impersonate service accounts, or perform domain-wide delegation, and remove unnecessary privileges.
  • Apply least privilege and approval controls to high-impact delegation paths.
  • Ensure identity-provider audit logging is enabled, retained, and accessible to SOC and incident response teams.
  • Periodically reconcile delegation permissions against business owners, administrative procedures, and compliance evidence needs.
Analyst notes and limits

AN1106 is a detection analytic object in ATT&CK Enterprise version 19.1 for the Identity Provider platform. It specifically concerns token creation or access delegation involving impersonation of higher-privileged service accounts or domain-wide delegation, with examples referencing GCP serviceAccountTokenCreator and Workspace impersonation. No official detection text, tactics, labels, aliases, or relationship context were supplied.

This take is limited to the supplied ATT&CK fields and external reference. It does not establish active exploitation, adversary attribution, impact, or existing detection coverage. Concrete detections require local identity-provider configuration, audit log availability, normal delegation patterns, and knowledge of approved administrative workflows.

Official MITRE ATT&CK definition

Analytic 1106

Token creation or access delegation where a user impersonates a higher-privileged service account or performs domain-wide delegation actions, such as GCP's serviceAccountTokenCreator or Workspace impersonation.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5475b8908c298a14...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5475b8908c29…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1106
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use