T1134.001

Token Impersonation/Theft

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. DuplicateToken or DuplicateTokenEx are used to clone an existing process token, which is then applied to the current thread via ImpersonateLoggedOnUser or SetThreadToken, or used to create a new process via CreateProcessWithTokenW. This allows an adversary to operate under a different security context — typically a higher-privileged user — without needing that user's credentials. Token theft is commonly performed against LSASS, winlogon, explorer.exe, or other processes running as privileged users, and is a core capability of post-exploitation frameworks including Cobalt Strike (steal_token), Metasploit (incognito), Havoc, SILENTTRINITY, and Pupy. Real-world actors including APT28, Emotet, REvil, Tarrask, and FinFisher have all leveraged this technique.

Microsoft Sentinel / Defender

kusto

// T1134.001 — Token Impersonation/Theft
// Branch 1: Process handle acquisition to privileged processes with token-capable access rights
let PrivilegedTargets = dynamic(["lsass.exe", "winlogon.exe", "csrss.exe", "services.exe", "wininit.exe"]);
let LegitAccessors = dynamic(["MsMpEng.exe", "SenseIR.exe", "SenseCE.exe", "SecurityHealthService.exe", "AzureADConnectAuthenticatio.exe", "csrss.exe", "smss.exe", "wininit.exe"]);
let SuspiciousProcessAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcess"
| where FileName has_any (PrivilegedTargets)
| extend ParsedFields = parse_json(AdditionalFields)
| extend GrantedAccess = tostring(ParsedFields.GrantedAccess)
// TOKEN_DUPLICATE (0x0002), TOKEN_IMPERSONATE (0x0004), PROCESS_DUP_HANDLE (0x0040),
// PROCESS_ALL_ACCESS (0x1FFFFF), common mimikatz/C2 access mask (0x1010, 0x143a)
| where GrantedAccess in~ ("0x1010", "0x1fffff", "0x1f0fff", "0x0040", "0x143a", "0x40", "0x0002", "0x0004")
    or tolong(GrantedAccess) band 0x0040 > 0  // PROCESS_DUP_HANDLE bit set
| where not (InitiatingProcessFileName has_any (LegitAccessors))
| extend RiskScore = 70, Branch = "ProcessAccess_PrivTarget"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess, RiskScore, Branch;
// Branch 2: Known token manipulation tools and post-exploitation framework command-line patterns
let TokenToolNames = dynamic(["incognito.exe", "tokenvator.exe", "tokenduplicator.exe", "token_manipulator.exe"]);
let TokenManipCLI = dynamic(["steal_token", "impersonate_token", "Invoke-TokenManipulation",
    "ImpersonateLoggedOnUser", "DuplicateTokenEx", "SetThreadToken", "getsystem",
    "rev2self", "getuid", "NtFilterToken", "SeImpersonatePrivilege"]);
let ToolBasedDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (TokenToolNames)
    or ProcessCommandLine has_any (TokenManipCLI)
| extend RiskScore = 85, Branch = "TokenManip_Tool"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess="", RiskScore, Branch;
// Branch 3: Special privilege assignment to non-system interactive accounts —
// indicator of successful impersonation or token manipulation
let HighRiskPrivs = dynamic(["SeImpersonatePrivilege", "SeAssignPrimaryTokenPrivilege",
    "SeTcbPrivilege", "SeDebugPrivilege"]);
let PrivEscalation = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4672
| where PrivilegeList has_any (HighRiskPrivs)
| where SubjectUserName !endswith "$"
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON")
| where SubjectLogonId !in ("0x3e7", "0x3e4", "0x3e5")  // Exclude SYSTEM, NETWORK SERVICE, LOCAL SERVICE logons
| extend RiskScore = 60, Branch = "HighRisk_Privilege_Assigned"
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
         InitiatingProcessFileName=ProcessName, InitiatingProcessCommandLine="",
         TargetProcess="", GrantedAccess=PrivilegeList, RiskScore, Branch;
// Branch 4: Suspicious parent-child process privilege elevation —
// low-privilege parent spawning a process under a higher-privilege account
let PrivElevationChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName != InitiatingProcessAccountName
| where AccountName =~ "SYSTEM" and InitiatingProcessAccountName !in~ ("SYSTEM", "")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "wininit.exe",
    "lsass.exe", "smss.exe", "csrss.exe", "winlogon.exe")
| extend RiskScore = 75, Branch = "PrivElevation_ParentChild"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
         InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess="", RiskScore, Branch;
// Union all detection branches
SuspiciousProcessAccess
| union ToolBasedDetection
| union PrivEscalation
| union PrivElevationChain
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Access Process: Process Creation Windows Event Logs: Security Microsoft Defender for Endpoint

Required Tables

DeviceEvents DeviceProcessEvents SecurityEvent

False Positives

Security and EDR products (Microsoft Defender, CrowdStrike, Carbon Black) legitimately open LSASS with high access rights for memory scanning and credential protection — these should be baselined and excluded by InitiatingProcessFileName
Password managers (1Password, LastPass desktop agents) and credential vaults may access privileged process memory
Debugging tools (WinDbg, Visual Studio debugger, x64dbg) open process handles with full access rights during legitimate development and security research
Vulnerability scanners and system inventory tools (Qualys, Tenable, SCCM Hardware Inventory) may enumerate process tokens for asset cataloging
Legitimate privileged automation scripts run by IT teams using SeImpersonatePrivilege for network share access or service account operations

Splunk

spl

// T1134.001 — Token Impersonation/Theft (SPL — Sysmon + Security logs)
// Branch 1: Sysmon EventCode=10 — process access to LSASS or other privileged processes
// with access masks associated with token theft
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
    TargetImage IN ("*\\lsass.exe", "*\\winlogon.exe", "*\\csrss.exe", "*\\services.exe", "*\\wininit.exe")
    (GrantedAccess="0x1010" OR GrantedAccess="0x1fffff" OR GrantedAccess="0x1f0fff"
     OR GrantedAccess="0x143a" OR GrantedAccess="0x0040" OR GrantedAccess="0x40"
     OR GrantedAccess="0x1410" OR GrantedAccess="0x0002" OR GrantedAccess="0x0004")
NOT (SourceImage IN ("*\\MsMpEng.exe", "*\\SenseIR.exe", "*\\SenseCE.exe",
    "*\\SecurityHealthService.exe", "*\\csrss.exe", "*\\smss.exe", "*\\wininit.exe",
    "*\\AzureADConnectAuthenticatio.exe"))
| eval Branch="ProcessAccess_PrivTarget"
| eval RiskScore=70
| eval SourceProc=SourceImage, TargetProc=TargetImage, TokenAccess=GrantedAccess
| table _time, host, SourceUser, SourceProc, TargetProc, TokenAccess, CallTrace, Branch, RiskScore
| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
        (Image="*\\incognito.exe" OR Image="*\\tokenvator.exe" OR Image="*\\tokenduplicator.exe"
         OR CommandLine="*steal_token*" OR CommandLine="*impersonate_token*"
         OR CommandLine="*Invoke-TokenManipulation*" OR CommandLine="*ImpersonateLoggedOnUser*"
         OR CommandLine="*DuplicateTokenEx*" OR CommandLine="*SetThreadToken*"
         OR CommandLine="*getsystem*" OR CommandLine="*rev2self*"
         OR CommandLine="*NtFilterToken*" OR CommandLine="*SeImpersonatePrivilege*")
    | eval Branch="TokenManip_Tool"
    | eval RiskScore=85
    | eval SourceProc=ParentImage, TargetProc=Image, TokenAccess=""
    | table _time, host, User, SourceProc, TargetProc, CommandLine, Branch, RiskScore
]
| append [
    search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672
        (PrivilegeList="*SeImpersonatePrivilege*" OR PrivilegeList="*SeAssignPrimaryTokenPrivilege*"
         OR PrivilegeList="*SeTcbPrivilege*" OR PrivilegeList="*SeDebugPrivilege*")
        NOT (SubjectUserName="*$" OR SubjectUserName IN ("SYSTEM","LOCAL SERVICE","NETWORK SERVICE","ANONYMOUS LOGON"))
        NOT (SubjectLogonId IN ("0x3e7","0x3e4","0x3e5"))
    | eval Branch="HighRisk_Privilege_Assigned"
    | eval RiskScore=60
    | eval SourceProc=ProcessName, TargetProc="", TokenAccess=PrivilegeList
    | table _time, host, SubjectUserName, SourceProc, TargetProc, TokenAccess, Branch, RiskScore
]
| sort - RiskScore _time

high severity medium confidence

Data Sources

Process: Process Access Process: Process Creation Windows Event Logs: Security Sysmon Event ID 10 Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Security and EDR products (Microsoft Defender, CrowdStrike Falcon, Carbon Black) legitimately access LSASS with high GrantedAccess values — whitelist by SourceImage path
Password managers and enterprise credential management tools may read process memory from privileged processes
Debugging sessions with WinDbg, x64dbg, or Visual Studio attach to processes with full access rights
Legitimate system management tools (SysMon, ProcMon, Process Hacker in authorized use) opening privileged process handles for diagnostics
SQL Server and IIS application pool accounts legitimately hold SeImpersonatePrivilege — exclude these known service account patterns

Elastic Security (EQL)

eql

any where (
  /* Branch 1: Sysmon EventID 10 — process access to privileged targets with token-theft access masks */
  (
    winlog.event_id == 10 and
    winlog.event_data.TargetImage like~ ("*\\lsass.exe", "*\\winlogon.exe", "*\\csrss.exe", "*\\services.exe", "*\\wininit.exe") and
    winlog.event_data.GrantedAccess in~ ("0x1010", "0x1fffff", "0x1f0fff", "0x143a", "0x0040", "0x40", "0x1410", "0x0002", "0x0004") and
    not winlog.event_data.SourceImage like~ ("*\\MsMpEng.exe", "*\\SenseIR.exe", "*\\SenseCE.exe", "*\\SecurityHealthService.exe", "*\\AzureADConnectAuthenticatio.exe", "*\\csrss.exe", "*\\smss.exe", "*\\wininit.exe")
  ) or
  /* Branch 2: Sysmon EventID 1 — known token manipulation tool execution or C2 post-exploitation CLI patterns */
  (
    winlog.event_id == 1 and
    (
      process.name in~ ("incognito.exe", "tokenvator.exe", "tokenduplicator.exe", "token_manipulator.exe") or
      process.command_line like~ ("*steal_token*", "*impersonate_token*", "*Invoke-TokenManipulation*", "*ImpersonateLoggedOnUser*", "*DuplicateTokenEx*", "*SetThreadToken*", "*getsystem*", "*rev2self*", "*NtFilterToken*", "*SeImpersonatePrivilege*")
    )
  ) or
  /* Branch 3: Windows Security EventID 4672 — high-risk privilege assigned to non-system interactive account */
  (
    winlog.event_id == 4672 and
    (
      winlog.event_data.PrivilegeList like "*SeImpersonatePrivilege*" or
      winlog.event_data.PrivilegeList like "*SeAssignPrimaryTokenPrivilege*" or
      winlog.event_data.PrivilegeList like "*SeTcbPrivilege*" or
      winlog.event_data.PrivilegeList like "*SeDebugPrivilege*"
    ) and
    not winlog.event_data.SubjectUserName like~ "*$" and
    not winlog.event_data.SubjectUserName in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON") and
    not winlog.event_data.SubjectLogonId in ("0x3e7", "0x3e4", "0x3e5")
  ) or
  /* Branch 4: Sysmon EventID 1 — non-privileged parent spawning SYSTEM-context child process */
  (
    winlog.event_id == 1 and
    winlog.event_data.User like~ "*\\SYSTEM" and
    winlog.event_data.ParentUser != "" and
    not winlog.event_data.ParentUser like~ "*\\SYSTEM" and
    not process.parent.name in~ ("services.exe", "svchost.exe", "wininit.exe", "lsass.exe", "smss.exe", "csrss.exe", "winlogon.exe")
  )
)

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) via Winlogbeat Windows Security Event Log via Winlogbeat

Required Tables

winlog (Winlogbeat index with Sysmon and Security Event Log data)

False Positives

Legitimate EDR and AV products (CrowdStrike Falcon sensor, Carbon Black, Cortex XDR) that open LSASS for real-time memory inspection — SourceImage allowlist covers common Microsoft products but third-party security tools may require additional entries
Domain administrators with SeDebugPrivilege granted via Group Policy will fire Branch 3 on every interactive logon — scope by SubjectLogonType or restrict to non-privileged OU accounts
Software deployment and patch management tools that temporarily run child processes under SYSTEM context via impersonation (SCCM, Intune Management Extension) will trigger Branch 4 — add parent process names to exclusion list after verification

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  username,
  QIDNAME(qid) AS event_name,
  "SourceImage",
  "TargetImage",
  "GrantedAccess",
  "CallTrace",
  "Image",
  "CommandLine",
  "PrivilegeList",
  "SubjectUserName",
  "SubjectLogonId",
  CASE
    WHEN ("CommandLine" ILIKE '%steal_token%'
      OR "CommandLine" ILIKE '%impersonate_token%'
      OR "CommandLine" ILIKE '%Invoke-TokenManipulation%'
      OR "CommandLine" ILIKE '%DuplicateTokenEx%'
      OR "CommandLine" ILIKE '%SetThreadToken%'
      OR "Image" ILIKE '%\incognito.exe'
      OR "Image" ILIKE '%\tokenvator.exe'
      OR "Image" ILIKE '%\tokenduplicator.exe') THEN 85
    WHEN (eventid = 10
      AND ("TargetImage" ILIKE '%\lsass.exe'
        OR "TargetImage" ILIKE '%\winlogon.exe'
        OR "TargetImage" ILIKE '%\csrss.exe'
        OR "TargetImage" ILIKE '%\services.exe'
        OR "TargetImage" ILIKE '%\wininit.exe')
      AND "GrantedAccess" IN ('0x1010','0x1fffff','0x1f0fff','0x143a','0x0040','0x40','0x0002','0x0004')) THEN 70
    WHEN (eventid = 4672
      AND ("PrivilegeList" ILIKE '%SeImpersonatePrivilege%'
        OR "PrivilegeList" ILIKE '%SeAssignPrimaryTokenPrivilege%'
        OR "PrivilegeList" ILIKE '%SeTcbPrivilege%'
        OR "PrivilegeList" ILIKE '%SeDebugPrivilege%')) THEN 60
    ELSE 50
  END AS risk_score
FROM events
WHERE starttime > NOW() - 86400000
  AND LOGSOURCETYPEID IN (12, 13, 397)
  AND (
    /* Branch 1: Sysmon EventID 10 — process handle to privileged targets with token-theft access masks */
    (
      eventid = 10
      AND (
        "TargetImage" ILIKE '%\lsass.exe'
        OR "TargetImage" ILIKE '%\winlogon.exe'
        OR "TargetImage" ILIKE '%\csrss.exe'
        OR "TargetImage" ILIKE '%\services.exe'
        OR "TargetImage" ILIKE '%\wininit.exe'
      )
      AND (
        "GrantedAccess" = '0x1010'
        OR "GrantedAccess" = '0x1fffff'
        OR "GrantedAccess" = '0x1f0fff'
        OR "GrantedAccess" = '0x143a'
        OR "GrantedAccess" = '0x0040'
        OR "GrantedAccess" = '0x40'
        OR "GrantedAccess" = '0x0002'
        OR "GrantedAccess" = '0x0004'
      )
      AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
      AND "SourceImage" NOT ILIKE '%\SenseIR.exe'
      AND "SourceImage" NOT ILIKE '%\SenseCE.exe'
      AND "SourceImage" NOT ILIKE '%\SecurityHealthService.exe'
      AND "SourceImage" NOT ILIKE '%\AzureADConnectAuthenticatio.exe'
      AND "SourceImage" NOT ILIKE '%\csrss.exe'
      AND "SourceImage" NOT ILIKE '%\smss.exe'
      AND "SourceImage" NOT ILIKE '%\wininit.exe'
    )
    OR
    /* Branch 2: Sysmon EventID 1 — token manipulation tool names or C2 post-exploitation CLI strings */
    (
      eventid = 1
      AND (
        "Image" ILIKE '%\incognito.exe'
        OR "Image" ILIKE '%\tokenvator.exe'
        OR "Image" ILIKE '%\tokenduplicator.exe'
        OR "Image" ILIKE '%\token_manipulator.exe'
        OR "CommandLine" ILIKE '%steal_token%'
        OR "CommandLine" ILIKE '%impersonate_token%'
        OR "CommandLine" ILIKE '%Invoke-TokenManipulation%'
        OR "CommandLine" ILIKE '%ImpersonateLoggedOnUser%'
        OR "CommandLine" ILIKE '%DuplicateTokenEx%'
        OR "CommandLine" ILIKE '%SetThreadToken%'
        OR "CommandLine" ILIKE '%getsystem%'
        OR "CommandLine" ILIKE '%rev2self%'
        OR "CommandLine" ILIKE '%NtFilterToken%'
        OR "CommandLine" ILIKE '%SeImpersonatePrivilege%'
      )
    )
    OR
    /* Branch 3: Windows Security EventID 4672 — high-risk privilege assignment to non-system account */
    (
      eventid = 4672
      AND (
        "PrivilegeList" ILIKE '%SeImpersonatePrivilege%'
        OR "PrivilegeList" ILIKE '%SeAssignPrimaryTokenPrivilege%'
        OR "PrivilegeList" ILIKE '%SeTcbPrivilege%'
        OR "PrivilegeList" ILIKE '%SeDebugPrivilege%'
      )
      AND username NOT LIKE '%$'
      AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE', 'ANONYMOUS LOGON', '-')
      AND "SubjectLogonId" NOT IN ('0x3e7', '0x3e4', '0x3e5')
    )
  )
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log (QRadar LOGSOURCETYPEID 12 or 13) Sysmon via Windows Event Forwarding or direct QRadar WinCollect agent (LOGSOURCETYPEID 397)

Required Tables

events

False Positives

Security vulnerability scanners (Tenable Nessus, Qualys) running credentialed scans may open handles to LSASS with elevated access rights — identify by correlating SourceImage with known scanner service account processes
IT administrators with SeDebugPrivilege granted by Group Policy will generate EventID 4672 alerts on every interactive logon — filter by SubjectLogonType field or restrict to specific OU-based account exclusions in a reference set
PowerShell automation scripts that enumerate or reference Windows API names (DuplicateTokenEx, ImpersonateLoggedOnUser) in strings or comments without executing them may match Branch 2 CommandLine patterns

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog* OR _sourceCategory=*winlogbeat*)
| parse regex "(?:EventID|EventCode)[^>]*>(?<event_id>\d+)<" nodrop
| parse regex "TargetImage[^>]*>(?<target_image>[^<]+)<" nodrop
| parse regex "SourceImage[^>]*>(?<source_image>[^<]+)<" nodrop
| parse regex "GrantedAccess[^>]*>(?<granted_access>[^<]+)<" nodrop
| parse regex "CallTrace[^>]*>(?<call_trace>[^<]+)<" nodrop
| parse regex "(?:CommandLine|ProcessCommandLine)[^>]*>(?<command_line>[^<]+)<" nodrop
| parse regex "(?:Image|NewProcessName)[^>]*>(?<image_name>[^<]+)<" nodrop
| parse regex "PrivilegeList[^>]*>(?<privilege_list>[^<]+)<" nodrop
| parse regex "SubjectUserName[^>]*>(?<subject_username>[^<]+)<" nodrop
| parse regex "SubjectLogonId[^>]*>(?<subject_logon_id>[^<]+)<" nodrop
| parse regex "ParentImage[^>]*>(?<parent_image>[^<]+)<" nodrop
| where (
    /* Branch 1: Sysmon EventID 10 — process access to privileged targets with token-theft access masks */
    (
      event_id = "10"
      AND (target_image matches "(?i).*\\lsass\.exe$"
        OR target_image matches "(?i).*\\winlogon\.exe$"
        OR target_image matches "(?i).*\\csrss\.exe$"
        OR target_image matches "(?i).*\\services\.exe$"
        OR target_image matches "(?i).*\\wininit\.exe$")
      AND (granted_access = "0x1010" OR granted_access = "0x1fffff" OR granted_access = "0x1f0fff"
        OR granted_access = "0x143a" OR granted_access = "0x0040" OR granted_access = "0x40"
        OR granted_access = "0x1410" OR granted_access = "0x0002" OR granted_access = "0x0004")
      AND !(source_image matches "(?i).*\\(MsMpEng|SenseIR|SenseCE|SecurityHealthService|AzureADConnectAuthenticatio|csrss|smss|wininit)\.exe$")
    )
    OR
    /* Branch 2: Sysmon EventID 1 — token manipulation tool execution or C2 post-exploitation CLI patterns */
    (
      event_id = "1"
      AND (
        image_name matches "(?i).*\\(incognito|tokenvator|tokenduplicator|token_manipulator)\.exe$"
        OR command_line matches "(?i).*(steal_token|impersonate_token|Invoke-TokenManipulation|ImpersonateLoggedOnUser|DuplicateTokenEx|SetThreadToken|getsystem|rev2self|NtFilterToken|SeImpersonatePrivilege).*"
      )
    )
    OR
    /* Branch 3: Windows Security EventID 4672 — high-risk privilege assignment to non-system account */
    (
      event_id = "4672"
      AND privilege_list matches "(?i).*(SeImpersonatePrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeDebugPrivilege).*"
      AND !(subject_username matches ".*\$"
        OR subject_username in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON"))
      AND !(subject_logon_id in ("0x3e7", "0x3e4", "0x3e5"))
    )
  )
| eval risk_score = if(event_id = "1"
    AND (command_line matches "(?i).*(steal_token|impersonate_token|Invoke-TokenManipulation|DuplicateTokenEx|SetThreadToken|getsystem|rev2self).*"
      OR image_name matches "(?i).*\\(incognito|tokenvator|tokenduplicator|token_manipulator)\.exe$"), 85,
    if(event_id = "10", 70,
      if(event_id = "4672", 60, 50)))
| eval detection_branch = if(event_id = "10", "ProcessAccess_PrivTarget",
    if(event_id = "1", "TokenManip_Tool",
      if(event_id = "4672", "HighRisk_Privilege_Assigned", "Unknown")))
| fields _messageTime, _sourceHost, subject_username, source_image, target_image, image_name, command_line, granted_access, privilege_list, call_trace, detection_branch, risk_score
| sort by risk_score, _messageTime desc

high severity high confidence

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) collected via Installed Collector or OpenTelemetry Windows Security Event Log collected via Installed Collector

Required Tables

Sumo Logic raw log index (Windows and Sysmon source categories)

False Positives

Endpoint security agents including CrowdStrike Falcon sensor, SentinelOne, and Microsoft Defender for Endpoint open LSASS for protection scanning and will trigger Branch 1 — extend source_image exclusion regex with local agent binary paths after confirming with EDR vendor documentation
IIS application pool identities, SQL Server service accounts, and scheduled task service accounts legitimately hold SeImpersonatePrivilege by design and will generate continuous Branch 3 alerts on every service start logon — filter using subject_username patterns matching your service account naming standard
Red team or purple team exercises using authorized tooling (Cobalt Strike, Havoc, Brute Ratel) on designated test endpoints will produce high-confidence Branch 2 matches — exclude by _sourceHost or apply a lookup table of authorized red team host names

Google Chronicle / SecOps

yaral

rule t1134_001_token_impersonation_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects token impersonation and theft via privileged process handle acquisition, token manipulation tool execution, and high-risk privilege assignment to non-system accounts (MITRE ATT&CK T1134.001)"
    mitre_attack_technique = "T1134.001"
    mitre_attack_tactic = "Privilege Escalation, Defense Evasion"
    platform = "Windows"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1134/001/"

  events:
    (
      /* Branch 1: PROCESS_OPEN to LSASS or other privileged Windows processes with token-capable access rights */
      (
        $e.metadata.event_type = "PROCESS_OPEN" and
        re.regex($e.target.process.file.full_path,
          `(?i)(\\lsass\.exe|\\winlogon\.exe|\\csrss\.exe|\\services\.exe|\\wininit\.exe)$`) and
        $e.target.process.access_mask in
          ("0x1010", "0x1fffff", "0x1f0fff", "0x143a", "0x0040", "0x40", "0x1410", "0x0002", "0x0004") and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(\\MsMpEng\.exe|\\SenseIR\.exe|\\SenseCE\.exe|\\SecurityHealthService\.exe|\\csrss\.exe|\\smss\.exe|\\wininit\.exe|\\AzureADConnectAuthenticatio\.exe)$`)
      )
      or
      /* Branch 2: PROCESS_LAUNCH matching known token manipulation tool names or C2 framework post-exploitation CLI strings */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        (
          re.regex($e.target.process.file.full_path,
            `(?i)(\\incognito\.exe|\\tokenvator\.exe|\\tokenduplicator\.exe|\\token_manipulator\.exe)$`) or
          re.regex($e.target.process.command_line,
            `(?i)(steal_token|impersonate_token|Invoke-TokenManipulation|ImpersonateLoggedOnUser|DuplicateTokenEx|SetThreadToken|getsystem|rev2self|NtFilterToken|SeImpersonatePrivilege)`)
        )
      )
      or
      /* Branch 3: Windows Security EventID 4672 — high-risk impersonation or TCB privilege assigned to non-system interactive account */
      (
        $e.metadata.product_event_type = "4672" and
        (
          re.regex($e.extensions.auth.auth_details,
            `(?i)(SeImpersonatePrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeDebugPrivilege)`) or
          re.regex($e.target.user.attribute.labels.value,
            `(?i)(SeImpersonatePrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeDebugPrivilege)`)
        ) and
        not re.regex($e.principal.user.userid, `\$$`) and
        not $e.principal.user.userid in
          ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON")
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle with Windows Sysmon telemetry ingested via Google Chronicle Forwarder or Ingestion API Windows Security Event Log via Chronicle Windows Sensor or Bindplane

Required Tables

Chronicle UDM Events (PROCESS_OPEN, PROCESS_LAUNCH event types and Windows Security raw log ingestion)

False Positives

Microsoft Defender Antivirus and Windows Defender ATP routinely open LSASS for memory scanning — the principal process exclusion covers MsMpEng.exe but newer Microsoft security process names may require additions to the allowlist regex
SQL Server Database Engine and IIS worker processes (w3wp.exe) hold SeImpersonatePrivilege by design for impersonating database connection principals — these generate EventID 4672 alerts on every service account logon and should be excluded by principal.user.userid pattern
Authorized penetration testing activities using Cobalt Strike or Havoc C2 on designated red team endpoints will produce high-fidelity Branch 2 matches — scope detection to production assets using principal.asset.hostname or asset group labels

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "ProcessAccessV2", "ProcessAccess")
| case {
    /* Branch 1: ProcessAccessV2 — handle acquisition to privileged Windows processes with token-theft access masks */
    #event_simpleName in ("ProcessAccessV2", "ProcessAccess")
      TargetImageFileName = /(?i)(\\lsass\.exe|\\winlogon\.exe|\\csrss\.exe|\\services\.exe|\\wininit\.exe)$/
      GrantedAccess = /^(0x1010|0x1fffff|0x1f0fff|0x143a|0x0040|0x40|0x1410|0x0002|0x0004)$/i
      NOT SourceImageFileName = /(?i)(\\MsMpEng\.exe|\\SenseIR\.exe|\\SenseCE\.exe|\\SecurityHealthService\.exe|\\csrss\.exe|\\smss\.exe|\\wininit\.exe|\\AzureADConnectAuthenticatio\.exe)$/
      | eval Branch := "ProcessAccess_PrivTarget"
      | eval RiskScore := 70;
    /* Branch 2: ProcessRollup2 — token manipulation tool execution or C2 post-exploitation CLI patterns */
    #event_simpleName = "ProcessRollup2"
      (
        ImageFileName = /(?i)(\\incognito\.exe|\\tokenvator\.exe|\\tokenduplicator\.exe|\\token_manipulator\.exe)$/
        OR CommandLine = /(?i)(steal_token|impersonate_token|Invoke-TokenManipulation|ImpersonateLoggedOnUser|DuplicateTokenEx|SetThreadToken|getsystem|rev2self|NtFilterToken|SeImpersonatePrivilege)/
      )
      | eval Branch := "TokenManip_Tool"
      | eval RiskScore := 85;
    * | drop;
  }
| eval TargetProc := TargetImageFileName
| eval SourceProc := coalesce(SourceImageFileName, ImageFileName)
| table([@timestamp, ComputerName, UserName, SourceProc, TargetProc, GrantedAccess, CommandLine, Branch, RiskScore])
| sort(RiskScore, order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint sensor (ProcessRollup2 process creation telemetry) CrowdStrike Falcon Endpoint sensor with process access tracking (ProcessAccessV2 events — requires Comprehensive mode or equivalent sensor configuration)

Required Tables

ProcessRollup2 ProcessAccessV2 ProcessAccess

False Positives

The CrowdStrike Falcon sensor itself may generate ProcessAccessV2 events when inspecting LSASS for threat detection — Falcon-internal sensor processes may not be captured in SourceImageFileName and could appear as unnamed or system-context accessors requiring exclusion by PID lineage
Privileged Access Management solutions (CyberArk Endpoint Privilege Manager, BeyondTrust PowerBroker) that perform just-in-time token elevation to grant temporary SYSTEM access will trigger Branch 1 with legitimate access mask patterns — identify by correlating with PAM session context or known PAM agent process names
Enterprise PowerShell automation frameworks (PSRemoting runspaces, SCOM management agents) that reference token API names as strings in script bodies or error handling code may match Branch 2 CommandLine regex without executing actual token operations

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.002Create Process with Token T1134.003Make and Impersonate Token T1134.004Parent PID Spoofing T1134.005SID-History Injection

Token Impersonation/Theft

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections