Detect Token Impersonation/Theft in IBM QRadar
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. DuplicateToken or DuplicateTokenEx are used to clone an existing process token, which is then applied to the current thread via ImpersonateLoggedOnUser or SetThreadToken, or used to create a new process via CreateProcessWithTokenW. This allows an adversary to operate under a different security context — typically a higher-privileged user — without needing that user's credentials. Token theft is commonly performed against LSASS, winlogon, explorer.exe, or other processes running as privileged users, and is a core capability of post-exploitation frameworks including Cobalt Strike (steal_token), Metasploit (incognito), Havoc, SILENTTRINITY, and Pupy. Real-world actors including APT28, Emotet, REvil, Tarrask, and FinFisher have all leveraged this technique.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.001 Token Impersonation/Theft
- Canonical reference
- https://attack.mitre.org/techniques/T1134/001/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
CATEGORYNAME(category) AS category_name,
username,
QIDNAME(qid) AS event_name,
"SourceImage",
"TargetImage",
"GrantedAccess",
"CallTrace",
"Image",
"CommandLine",
"PrivilegeList",
"SubjectUserName",
"SubjectLogonId",
CASE
WHEN ("CommandLine" ILIKE '%steal_token%'
OR "CommandLine" ILIKE '%impersonate_token%'
OR "CommandLine" ILIKE '%Invoke-TokenManipulation%'
OR "CommandLine" ILIKE '%DuplicateTokenEx%'
OR "CommandLine" ILIKE '%SetThreadToken%'
OR "Image" ILIKE '%\incognito.exe'
OR "Image" ILIKE '%\tokenvator.exe'
OR "Image" ILIKE '%\tokenduplicator.exe') THEN 85
WHEN (eventid = 10
AND ("TargetImage" ILIKE '%\lsass.exe'
OR "TargetImage" ILIKE '%\winlogon.exe'
OR "TargetImage" ILIKE '%\csrss.exe'
OR "TargetImage" ILIKE '%\services.exe'
OR "TargetImage" ILIKE '%\wininit.exe')
AND "GrantedAccess" IN ('0x1010','0x1fffff','0x1f0fff','0x143a','0x0040','0x40','0x0002','0x0004')) THEN 70
WHEN (eventid = 4672
AND ("PrivilegeList" ILIKE '%SeImpersonatePrivilege%'
OR "PrivilegeList" ILIKE '%SeAssignPrimaryTokenPrivilege%'
OR "PrivilegeList" ILIKE '%SeTcbPrivilege%'
OR "PrivilegeList" ILIKE '%SeDebugPrivilege%')) THEN 60
ELSE 50
END AS risk_score
FROM events
WHERE starttime > NOW() - 86400000
AND LOGSOURCETYPEID IN (12, 13, 397)
AND (
/* Branch 1: Sysmon EventID 10 — process handle to privileged targets with token-theft access masks */
(
eventid = 10
AND (
"TargetImage" ILIKE '%\lsass.exe'
OR "TargetImage" ILIKE '%\winlogon.exe'
OR "TargetImage" ILIKE '%\csrss.exe'
OR "TargetImage" ILIKE '%\services.exe'
OR "TargetImage" ILIKE '%\wininit.exe'
)
AND (
"GrantedAccess" = '0x1010'
OR "GrantedAccess" = '0x1fffff'
OR "GrantedAccess" = '0x1f0fff'
OR "GrantedAccess" = '0x143a'
OR "GrantedAccess" = '0x0040'
OR "GrantedAccess" = '0x40'
OR "GrantedAccess" = '0x0002'
OR "GrantedAccess" = '0x0004'
)
AND "SourceImage" NOT ILIKE '%\MsMpEng.exe'
AND "SourceImage" NOT ILIKE '%\SenseIR.exe'
AND "SourceImage" NOT ILIKE '%\SenseCE.exe'
AND "SourceImage" NOT ILIKE '%\SecurityHealthService.exe'
AND "SourceImage" NOT ILIKE '%\AzureADConnectAuthenticatio.exe'
AND "SourceImage" NOT ILIKE '%\csrss.exe'
AND "SourceImage" NOT ILIKE '%\smss.exe'
AND "SourceImage" NOT ILIKE '%\wininit.exe'
)
OR
/* Branch 2: Sysmon EventID 1 — token manipulation tool names or C2 post-exploitation CLI strings */
(
eventid = 1
AND (
"Image" ILIKE '%\incognito.exe'
OR "Image" ILIKE '%\tokenvator.exe'
OR "Image" ILIKE '%\tokenduplicator.exe'
OR "Image" ILIKE '%\token_manipulator.exe'
OR "CommandLine" ILIKE '%steal_token%'
OR "CommandLine" ILIKE '%impersonate_token%'
OR "CommandLine" ILIKE '%Invoke-TokenManipulation%'
OR "CommandLine" ILIKE '%ImpersonateLoggedOnUser%'
OR "CommandLine" ILIKE '%DuplicateTokenEx%'
OR "CommandLine" ILIKE '%SetThreadToken%'
OR "CommandLine" ILIKE '%getsystem%'
OR "CommandLine" ILIKE '%rev2self%'
OR "CommandLine" ILIKE '%NtFilterToken%'
OR "CommandLine" ILIKE '%SeImpersonatePrivilege%'
)
)
OR
/* Branch 3: Windows Security EventID 4672 — high-risk privilege assignment to non-system account */
(
eventid = 4672
AND (
"PrivilegeList" ILIKE '%SeImpersonatePrivilege%'
OR "PrivilegeList" ILIKE '%SeAssignPrimaryTokenPrivilege%'
OR "PrivilegeList" ILIKE '%SeTcbPrivilege%'
OR "PrivilegeList" ILIKE '%SeDebugPrivilege%'
)
AND username NOT LIKE '%$'
AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE', 'ANONYMOUS LOGON', '-')
AND "SubjectLogonId" NOT IN ('0x3e7', '0x3e4', '0x3e5')
)
)
ORDER BY risk_score DESC, starttime DESC
LAST 24 HOURSThree-branch QRadar AQL detection for T1134.001 querying Sysmon and Windows Security log sources. LOGSOURCETYPEID 12/13 covers Windows Security Event Log; 397 covers Sysmon collected via Windows Event Forwarding. Branch 1 detects Sysmon EventID 10 process handle acquisition to LSASS and other privileged Windows processes with access masks matching TOKEN_DUPLICATE, PROCESS_DUP_HANDLE, and common mimikatz/C2 patterns, excluding legitimate security tooling. Branch 2 detects Sysmon EventID 1 execution of known token manipulation tool binaries and C2 framework post-exploitation CLI strings. Branch 3 detects Windows Security EventID 4672 where high-risk impersonation or TCB privileges are assigned to non-system accounts, excluding machine accounts and built-in service identities via SubjectLogonId filtering. Risk scoring: 85 for confirmed tool use, 70 for process access, 60 for privilege assignment.
Data Sources
Required Tables
False Positives & Tuning
- Security vulnerability scanners (Tenable Nessus, Qualys) running credentialed scans may open handles to LSASS with elevated access rights — identify by correlating SourceImage with known scanner service account processes
- IT administrators with SeDebugPrivilege granted by Group Policy will generate EventID 4672 alerts on every interactive logon — filter by SubjectLogonType field or restrict to specific OU-based account exclusions in a reference set
- PowerShell automation scripts that enumerate or reference Windows API names (DuplicateTokenEx, ImpersonateLoggedOnUser) in strings or comments without executing them may match Branch 2 CommandLine patterns
Other platforms for T1134.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DuplicateToken API Call via PowerShell P/Invoke (Self-Token)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'TokenDup', 'DuplicateToken', 'OpenProcessToken'. Sysmon Event ID 7 (ImageLoad): advapi32.dll and kernel32.dll loaded by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full Add-Type block showing DllImport declarations for advapi32.dll token APIs.
- Test 2LSASS Process Handle Acquisition (Sysmon EventID 10 Trigger)
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=C:\Windows\System32\lsass.exe, GrantedAccess=0x0400, CallTrace will show the call chain through ntdll.dll → kernel32.dll → the powershell.exe process. This is the primary detection event. Security Event ID 4656 (Handle request) may also appear if object access auditing is enabled.
- Test 3ImpersonateLoggedOnUser on Current Process Token
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ImpersonateLoggedOnUser', 'RevertToSelf', 'TokenImp'. PowerShell ScriptBlock Log Event ID 4104 with the full P/Invoke block showing advapi32.dll imports for impersonation APIs. Security Event ID 4672 may fire if the token carries elevated privileges.
- Test 4Invoke-TokenManipulation Enumeration via PowerSploit
Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Invoke-TokenManipulation' and '-Enumerate'. Sysmon Event ID 3: Network connection from powershell.exe to raw.githubusercontent.com on port 443 (for the download). Sysmon Event ID 11: File created at %TEMP%\InvTokMnp.ps1. PowerShell ScriptBlock Log Event ID 4104: multiple events showing the Invoke-TokenManipulation module code and the -Enumerate call. Security Event ID 4672 if the enumeration surfaces elevated token contexts.
References (9)
- https://attack.mitre.org/techniques/T1134/001/
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md
- https://posts.specterops.io/understanding-and-defending-against-access-token-manipulation-ef7d9fa67d50
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1134.001 including response playbook, investigation guide, and atomic red team tests.