T1134

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes (token stealing) and either apply them to an existing process or spawn a new one. An adversary must already be in a privileged user context to steal a token, but commonly uses token stealing to escalate from administrator to SYSTEM. Any standard user can use the runas command and Windows API functions to create impersonation tokens without administrator access.

Microsoft Sentinel / Defender

kusto

let KnownTokenTools = dynamic([
  "juicypotato", "printspoofer", "sweetpotato", "godpotato",
  "roguewinrm", "rottenpotatong", "incognito", "tokenvator"
]);
let TokenManipulationAPIs = dynamic([
  "Invoke-TokenManipulation", "Get-SecurityToken", "DuplicateTokenEx",
  "OpenProcessToken", "AdjustTokenPrivileges", "CreateProcessWithToken",
  "ImpersonateLoggedOnUser", "SetThreadToken", "LogonUserW", "LogonUserA",
  "NtImpersonateThread", "Invoke-RunAs"
]);
let SuspiciousPrivileges = dynamic([
  "SeDebugPrivilege", "SeAssignPrimaryTokenPrivilege",
  "SeTcbPrivilege", "SeCreateTokenPrivilege"
]);
// Branch 1: Known token manipulation utilities
let KnownTools = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownTokenTools)
    or FolderPath has_any (KnownTokenTools)
    or ProcessCommandLine has_any (KnownTokenTools)
| extend DetectionType = "KnownTokenTool"
| extend IsPotatoFamily = ProcessCommandLine has_any ("juicypotato", "printspoofer", "sweetpotato", "godpotato")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, DetectionType, IsPotatoFamily;
// Branch 2: PowerShell invoking token manipulation APIs or frameworks
let PSTokenAbuse = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (TokenManipulationAPIs)
    or ProcessCommandLine has_any (SuspiciousPrivileges)
| extend DetectionType = "PowerShellTokenAbuse"
| extend IsPotatoFamily = false
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessAccountName, DetectionType, IsPotatoFamily;
// Branch 3: Suspicious special privileges assigned to non-service user logon sessions
let PrivilegeEscalation = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4672
| where SubjectUserName !endswith "$"
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE",
    "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1")
| where PrivilegeList has "SeDebugPrivilege"
    or PrivilegeList has "SeAssignPrimaryTokenPrivilege"
    or PrivilegeList has "SeTcbPrivilege"
    or PrivilegeList has "SeCreateTokenPrivilege"
| extend DetectionType = "SuspiciousPrivilegeAssignment"
| extend IsPotatoFamily = false
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
          FileName="Security Event 4672", ProcessCommandLine=PrivilegeList,
          InitiatingProcessFileName="N/A",
          InitiatingProcessCommandLine=tostring(SubjectLogonId),
          InitiatingProcessAccountName="N/A", DetectionType, IsPotatoFamily;
union KnownTools, PSTokenAbuse, PrivilegeEscalation
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Legitimate penetration testing tools or red team exercises using Invoke-TokenManipulation or JuicyPotato on authorized engagements
System administrators using runas or token manipulation for legitimate privileged tasks with corresponding change tickets
Security software (EDR agents, vulnerability scanners, PAM solutions) that legitimately hold SeDebugPrivilege for process inspection
Windows services running as NETWORK SERVICE or LOCAL SERVICE that receive SeImpersonatePrivilege by design (IIS application pools, SQL Server, etc.)
Domain controllers where SeDebugPrivilege is legitimately assigned to elevated administrator accounts

Splunk

spl

(
  (index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672)
)
| eval AccountName=coalesce(User, SubjectUserName)
| eval ProcessImage=coalesce(Image, "N/A")
| eval CmdLine=coalesce(CommandLine, PrivilegeList, "N/A")
| eval ParentProcess=coalesce(ParentImage, "N/A")
| eval IsKnownTokenTool=if(
    match(lower(ProcessImage), "(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)") OR
    match(lower(CmdLine), "(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)"),
    1, 0)
| eval IsPSTokenAbuse=if(
    EventCode=1 AND (match(lower(ProcessImage), "(powershell\.exe|pwsh\.exe)")) AND
    match(lower(CmdLine), "(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|seimpersonateprivilege|sedebugprivilege)"),
    1, 0)
| eval IsSuspiciousPrivilege=if(
    EventCode=4672 AND
    NOT match(AccountName, "\\$$") AND
    NOT match(lower(AccountName), "(system|local service|network service|dwm-|umfd-)") AND
    match(CmdLine, "(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)"),
    1, 0)
| eval DetectionType=case(
    IsKnownTokenTool=1, "KnownTokenTool",
    IsPSTokenAbuse=1, "PowerShellTokenAbuse",
    IsSuspiciousPrivilege=1, "SuspiciousPrivilegeAssignment",
    true(), "unknown")
| where DetectionType != "unknown"
| eval SuspicionScore=IsKnownTokenTool + IsPSTokenAbuse + IsSuspiciousPrivilege
| table _time, host, AccountName, ProcessImage, CmdLine, ParentProcess, DetectionType, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Windows Security Event Log Sysmon Event ID 1 Sysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate penetration testing tools or red team exercises using Invoke-TokenManipulation or JuicyPotato on authorized engagements
System administrators using runas or token manipulation for legitimate privileged tasks with corresponding change tickets
Security software (EDR agents, vulnerability scanners, PAM solutions) that legitimately hold SeDebugPrivilege for process inspection
Windows services running as NETWORK SERVICE or LOCAL SERVICE that receive SeImpersonatePrivilege by design (IIS application pools, SQL Server, etc.)
Domain controllers where SeDebugPrivilege is legitimately assigned to elevated administrator accounts

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where
  (
    (
      event.category == "process" and event.type == "start"
      and (
        process.name : ("juicypotato*", "printspoofer*", "sweetpotato*", "godpotato*", "roguewinrm*", "rottenpotatong*", "incognito*", "tokenvator*")
        or process.executable : ("*juicypotato*", "*printspoofer*", "*sweetpotato*", "*godpotato*", "*roguewinrm*", "*rottenpotatong*", "*incognito*", "*tokenvator*")
        or process.command_line : ("*juicypotato*", "*printspoofer*", "*sweetpotato*", "*godpotato*", "*roguewinrm*", "*incognito*", "*tokenvator*")
      )
    )
    or
    (
      event.category == "process" and event.type == "start"
      and process.name : ("powershell.exe", "pwsh.exe")
      and process.command_line : (
        "*Invoke-TokenManipulation*", "*Get-SecurityToken*", "*DuplicateTokenEx*",
        "*OpenProcessToken*", "*AdjustTokenPrivileges*", "*CreateProcessWithToken*",
        "*ImpersonateLoggedOnUser*", "*SetThreadToken*", "*NtImpersonateThread*",
        "*Invoke-RunAs*", "*SeDebugPrivilege*", "*SeAssignPrimaryTokenPrivilege*",
        "*SeTcbPrivilege*", "*SeCreateTokenPrivilege*"
      )
    )
    or
    (
      event.category == "authentication"
      and event.code == "4672"
      and not user.name : ("*$", "SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "DWM-1", "DWM-2", "DWM-3", "UMFD-0", "UMFD-1")
      and winlog.event_data.PrivilegeList : ("*SeDebugPrivilege*", "*SeAssignPrimaryTokenPrivilege*", "*SeTcbPrivilege*", "*SeCreateTokenPrivilege*")
    )
  )
]

high severity high confidence

Data Sources

Windows Security Event Log Sysmon Elastic Endpoint

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate privileged administrator accounts (e.g., SQL Server service accounts, backup agents) that genuinely require SeDebugPrivilege or SeAssignPrimaryTokenPrivilege will trigger the Event 4672 branch — tune by excluding known service account names.
Security testing tools and red team exercises using Invoke-TokenManipulation from PowerShell Empire or similar frameworks during authorized penetration tests.
Certain EDR and DLP agents that inject into processes or require token duplication for inline inspection may trigger process-level token API detections.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  devicehostname AS host,
  username AS account_name,
  "Process Image" AS process_image,
  "Command Line" AS command_line,
  "Parent Image" AS parent_process,
  CASE
    WHEN LOWER("Process Image") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)'
      OR LOWER("Command Line") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)'
      THEN 'KnownTokenTool'
    WHEN LOWER("Process Image") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("Command Line") MATCHES '(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|sedebugprivilege|seassignprimarytokenprivilege)'
      THEN 'PowerShellTokenAbuse'
    WHEN QIDNAME(qid) = 'Special privileges assigned to new logon'
      AND NOT username MATCHES '.*\$$'
      AND NOT LOWER(username) IN ('system', 'local service', 'network service')
      AND NOT LOWER(username) MATCHES '(dwm-|umfd-)'
      AND "Privilege List" MATCHES '(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)'
      THEN 'SuspiciousPrivilegeAssignment'
    ELSE 'unknown'
  END AS detection_type,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 67, 233)
  AND starttime > NOW() - 24 HOURS
  AND (
    LOWER("Process Image") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)'
    OR LOWER("Command Line") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)'
    OR (
      LOWER("Process Image") MATCHES '(powershell\.exe|pwsh\.exe)'
      AND LOWER("Command Line") MATCHES '(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|sedebugprivilege|seassignprimarytokenprivilege)'
    )
    OR (
      QIDNAME(qid) = 'Special privileges assigned to new logon'
      AND NOT username MATCHES '.*\$$'
      AND NOT LOWER(username) IN ('system', 'local service', 'network service')
      AND NOT LOWER(username) MATCHES '(dwm-|umfd-)'
      AND "Privilege List" MATCHES '(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)'
    )
  )
  AND detection_type != 'unknown'
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon via Windows Event Forwarding QRadar Windows Custom Properties

Required Tables

events

False Positives

Service accounts for enterprise backup solutions (e.g., Veeam, Commvault) that legitimately hold SeDebugPrivilege will generate SuspiciousPrivilegeAssignment alerts — add those account names to an exclusion reference set.
Authorized red team or vulnerability assessment activities using commercial tools that enumerate or test token privileges.
Developer workstations running Visual Studio debugger or WinDbg under a user context, which may briefly require SeDebugPrivilege for attaching to processes.

Sumo Logic CSE

sql

(_sourceCategory="windows/security" OR _sourceCategory="windows/sysmon")
| parse "EventCode=*" as event_code nodrop
| parse "Image=*\n" as process_image nodrop
| parse "CommandLine=*\n" as command_line nodrop
| parse "ParentImage=*\n" as parent_image nodrop
| parse "User=*\n" as sysmon_user nodrop
| parse "SubjectUserName=*\n" as subject_user nodrop
| parse "PrivilegeList=*\n" as privilege_list nodrop
| if (isEmpty(sysmon_user), subject_user, sysmon_user) as account_name
| if (isEmpty(process_image), "N/A", process_image) as process_image
| if (isEmpty(command_line), privilege_list, command_line) as effective_cmdline
| toLowerCase(process_image) as process_image_lower
| toLowerCase(effective_cmdline) as cmdline_lower
| toLowerCase(account_name) as account_lower
| where (
    process_image_lower matches "*juicypotato*" OR
    process_image_lower matches "*printspoofer*" OR
    process_image_lower matches "*sweetpotato*" OR
    process_image_lower matches "*godpotato*" OR
    process_image_lower matches "*roguewinrm*" OR
    process_image_lower matches "*rottenpotatong*" OR
    process_image_lower matches "*incognito*" OR
    process_image_lower matches "*tokenvator*" OR
    cmdline_lower matches "*juicypotato*" OR
    cmdline_lower matches "*printspoofer*" OR
    cmdline_lower matches "*sweetpotato*" OR
    cmdline_lower matches "*godpotato*"
  ) OR (
    event_code = "1" AND
    (process_image_lower matches "*powershell.exe" OR process_image_lower matches "*pwsh.exe") AND
    (
      cmdline_lower matches "*invoke-tokenmanipulation*" OR
      cmdline_lower matches "*duplicatetokenex*" OR
      cmdline_lower matches "*openprocesstoken*" OR
      cmdline_lower matches "*adjusttokenprivileges*" OR
      cmdline_lower matches "*createprocesswithtoken*" OR
      cmdline_lower matches "*impersonateloggedonuser*" OR
      cmdline_lower matches "*setthreadtoken*" OR
      cmdline_lower matches "*ntimpersonatethread*" OR
      cmdline_lower matches "*invoke-runas*" OR
      cmdline_lower matches "*sedebugprivilege*" OR
      cmdline_lower matches "*seassignprimarytokenprivilege*"
    )
  ) OR (
    event_code = "4672" AND
    !(account_lower matches "*$") AND
    !(account_lower in ("system", "local service", "network service")) AND
    !(account_lower matches "dwm-*") AND
    !(account_lower matches "umfd-*") AND
    (
      cmdline_lower matches "*sedebugprivilege*" OR
      cmdline_lower matches "*seassignprimarytokenprivilege*" OR
      cmdline_lower matches "*setcbprivilege*" OR
      cmdline_lower matches "*secreatetokenprivilege*"
    )
  )
| if (
    process_image_lower matches "*juicypotato*" OR process_image_lower matches "*printspoofer*" OR
    process_image_lower matches "*sweetpotato*" OR process_image_lower matches "*godpotato*" OR
    cmdline_lower matches "*juicypotato*" OR cmdline_lower matches "*printspoofer*",
    "KnownTokenTool",
    if (
      (process_image_lower matches "*powershell.exe" OR process_image_lower matches "*pwsh.exe") AND
      (cmdline_lower matches "*tokenmanipulation*" OR cmdline_lower matches "*duplicatetokenex*" OR cmdline_lower matches "*openprocesstoken*"),
      "PowerShellTokenAbuse",
      "SuspiciousPrivilegeAssignment"
    )
  ) as detection_type
| fields _messageTime, _sourceHost, account_name, process_image, effective_cmdline, parent_image, detection_type
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Operational Log

Required Tables

_sourceCategory=windows/security _sourceCategory=windows/sysmon

False Positives

Monitoring and observability agents (Dynatrace, AppDynamics OneAgent) that run under privileged accounts and legitimately receive SeDebugPrivilege at logon.
Internal security tools performing authorized access token inspection for DLP or insider threat detection may invoke OpenProcessToken or DuplicateTokenEx APIs.
Helpdesk or IT support staff using the 'runas' command to launch applications under alternative credentials for legitimate troubleshooting purposes.

Google Chronicle / SecOps

yaral

rule access_token_manipulation_t1134 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Windows access token manipulation via known tools, PowerShell API abuse, or suspicious privilege assignments (T1134)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1134"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1134/"
    reference = "https://attack.mitre.org/techniques/T1134/"
    yara_l_version = "2.0"
    false_positives = "Service accounts with legitimate SeDebugPrivilege, authorized red team activities"

  events:
    (
      // Branch 1: Known token manipulation tools
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.target.process.file.full_path, `(?i)(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)`)
          or re.regex($e.target.process.command_line, `(?i)(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)`)
        )
      )
      or
      // Branch 2: PowerShell token API abuse
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe)`)
        and re.regex($e.target.process.command_line, `(?i)(Invoke-TokenManipulation|Get-SecurityToken|DuplicateTokenEx|OpenProcessToken|AdjustTokenPrivileges|CreateProcessWithToken|ImpersonateLoggedOnUser|SetThreadToken|NtImpersonateThread|Invoke-RunAs|SeDebugPrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeCreateTokenPrivilege)`)
      )
      or
      // Branch 3: Suspicious special privilege assignment (Event ID 4672 equivalent)
      (
        $e.metadata.event_type = "USER_PRIVILEGE_ESCALATION"
        and not re.regex($e.principal.user.userid, `(?i)(\$$|^SYSTEM$|^LOCAL SERVICE$|^NETWORK SERVICE$|^DWM-|^UMFD-)`)
        and re.regex($e.target.resource.name, `(?i)(SeDebugPrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeCreateTokenPrivilege)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Security Event Log via Chronicle forwarder Sysmon via Chronicle Windows sensor Endpoint telemetry via Chronicle SIEM agent

Required Tables

UDM events: PROCESS_LAUNCH, USER_PRIVILEGE_ESCALATION

False Positives

Managed service accounts (MSAs) and group managed service accounts (gMSAs) for SQL Server, IIS, or Exchange that receive high-privilege tokens at service start — these end in '$' and should be excluded by the account filter, but custom naming conventions may bypass the filter.
Security orchestration platforms (Splunk SOAR, Palo Alto XSOAR) that execute PowerShell runbooks with token management functions for automated incident response.
Software deployment systems (SCCM, Intune) that use CreateProcessWithToken for deploying packages under the SYSTEM context may generate false positives on endpoints with verbose logging.

CrowdStrike LogScale (CQL)

cql

// Branch 1: Known token manipulation tool execution
#event_simpleName = "ProcessRollup2"
| FileName = /(?i)(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)/
  OR ImageFileName = /(?i)(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)/
  OR CommandLine = /(?i)(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)/
| eval DetectionType = "KnownTokenTool"
| eval IsPotatoFamily = if(CommandLine = /(?i)(juicypotato|printspoofer|sweetpotato|godpotato)/, "true", "false")
| table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType, IsPotatoFamily

// Branch 2: PowerShell token API abuse
| union [
  #event_simpleName = "ProcessRollup2"
  | FileName = /(?i)(powershell\.exe|pwsh\.exe)/
  | CommandLine = /(?i)(Invoke-TokenManipulation|Get-SecurityToken|DuplicateTokenEx|OpenProcessToken|AdjustTokenPrivileges|CreateProcessWithToken|ImpersonateLoggedOnUser|SetThreadToken|NtImpersonateThread|Invoke-RunAs|SeDebugPrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeCreateTokenPrivilege)/
  | eval DetectionType = "PowerShellTokenAbuse"
  | eval IsPotatoFamily = "false"
  | table timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType, IsPotatoFamily
]

// Branch 3: Suspicious privilege assignment events
| union [
  #event_simpleName = "UserAccountAddedToGroup" OR #event_simpleName = "UserPrivilegeGained"
  | UserName != /\$$/
  | UserName != /(?i)^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE|DWM-|UMFD-)/
  | Privileges = /(?i)(SeDebugPrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeCreateTokenPrivilege)/
  | eval DetectionType = "SuspiciousPrivilegeAssignment"
  | eval IsPotatoFamily = "false"
  | eval CommandLine = Privileges
  | table timestamp, ComputerName, UserName, TargetProcessId, CommandLine, DetectionType, IsPotatoFamily
]

| sort timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Insight XDR process telemetry

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=UserPrivilegeGained #event_simpleName=UserAccountAddedToGroup

False Positives

CrowdStrike Falcon sensor itself and other EDR agents running as SYSTEM may generate ProcessRollup2 events that superficially match token manipulation patterns during process injection for monitoring purposes.
Enterprise password management tools (CyberArk PSM, BeyondTrust) that use token-based session isolation for privileged access management will generate privilege assignment events that match the SuspiciousPrivilegeAssignment branch.
Legitimate use of the Windows 'runas /savecred' or 'runas /netonly' commands by IT administrators for accessing network resources without full impersonation will generate token-related events that partially overlap with the PowerShell abuse branch if scripted.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Access Token Manipulation

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Defense Evasion

Popular Detections