Detect Token Impersonation/Theft in Microsoft Sentinel
Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. DuplicateToken or DuplicateTokenEx are used to clone an existing process token, which is then applied to the current thread via ImpersonateLoggedOnUser or SetThreadToken, or used to create a new process via CreateProcessWithTokenW. This allows an adversary to operate under a different security context — typically a higher-privileged user — without needing that user's credentials. Token theft is commonly performed against LSASS, winlogon, explorer.exe, or other processes running as privileged users, and is a core capability of post-exploitation frameworks including Cobalt Strike (steal_token), Metasploit (incognito), Havoc, SILENTTRINITY, and Pupy. Real-world actors including APT28, Emotet, REvil, Tarrask, and FinFisher have all leveraged this technique.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.001 Token Impersonation/Theft
- Canonical reference
- https://attack.mitre.org/techniques/T1134/001/
KQL Detection Query
// T1134.001 — Token Impersonation/Theft
// Branch 1: Process handle acquisition to privileged processes with token-capable access rights
let PrivilegedTargets = dynamic(["lsass.exe", "winlogon.exe", "csrss.exe", "services.exe", "wininit.exe"]);
let LegitAccessors = dynamic(["MsMpEng.exe", "SenseIR.exe", "SenseCE.exe", "SecurityHealthService.exe", "AzureADConnectAuthenticatio.exe", "csrss.exe", "smss.exe", "wininit.exe"]);
let SuspiciousProcessAccess = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "OpenProcess"
| where FileName has_any (PrivilegedTargets)
| extend ParsedFields = parse_json(AdditionalFields)
| extend GrantedAccess = tostring(ParsedFields.GrantedAccess)
// TOKEN_DUPLICATE (0x0002), TOKEN_IMPERSONATE (0x0004), PROCESS_DUP_HANDLE (0x0040),
// PROCESS_ALL_ACCESS (0x1FFFFF), common mimikatz/C2 access mask (0x1010, 0x143a)
| where GrantedAccess in~ ("0x1010", "0x1fffff", "0x1f0fff", "0x0040", "0x143a", "0x40", "0x0002", "0x0004")
or tolong(GrantedAccess) band 0x0040 > 0 // PROCESS_DUP_HANDLE bit set
| where not (InitiatingProcessFileName has_any (LegitAccessors))
| extend RiskScore = 70, Branch = "ProcessAccess_PrivTarget"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess, RiskScore, Branch;
// Branch 2: Known token manipulation tools and post-exploitation framework command-line patterns
let TokenToolNames = dynamic(["incognito.exe", "tokenvator.exe", "tokenduplicator.exe", "token_manipulator.exe"]);
let TokenManipCLI = dynamic(["steal_token", "impersonate_token", "Invoke-TokenManipulation",
"ImpersonateLoggedOnUser", "DuplicateTokenEx", "SetThreadToken", "getsystem",
"rev2self", "getuid", "NtFilterToken", "SeImpersonatePrivilege"]);
let ToolBasedDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (TokenToolNames)
or ProcessCommandLine has_any (TokenManipCLI)
| extend RiskScore = 85, Branch = "TokenManip_Tool"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess="", RiskScore, Branch;
// Branch 3: Special privilege assignment to non-system interactive accounts —
// indicator of successful impersonation or token manipulation
let HighRiskPrivs = dynamic(["SeImpersonatePrivilege", "SeAssignPrimaryTokenPrivilege",
"SeTcbPrivilege", "SeDebugPrivilege"]);
let PrivEscalation = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4672
| where PrivilegeList has_any (HighRiskPrivs)
| where SubjectUserName !endswith "$"
| where SubjectUserName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON")
| where SubjectLogonId !in ("0x3e7", "0x3e4", "0x3e5") // Exclude SYSTEM, NETWORK SERVICE, LOCAL SERVICE logons
| extend RiskScore = 60, Branch = "HighRisk_Privilege_Assigned"
| project Timestamp=TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName,
InitiatingProcessFileName=ProcessName, InitiatingProcessCommandLine="",
TargetProcess="", GrantedAccess=PrivilegeList, RiskScore, Branch;
// Branch 4: Suspicious parent-child process privilege elevation —
// low-privilege parent spawning a process under a higher-privilege account
let PrivElevationChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName != InitiatingProcessAccountName
| where AccountName =~ "SYSTEM" and InitiatingProcessAccountName !in~ ("SYSTEM", "")
| where InitiatingProcessFileName !in~ ("services.exe", "svchost.exe", "wininit.exe",
"lsass.exe", "smss.exe", "csrss.exe", "winlogon.exe")
| extend RiskScore = 75, Branch = "PrivElevation_ParentChild"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, TargetProcess=FileName, GrantedAccess="", RiskScore, Branch;
// Union all detection branches
SuspiciousProcessAccess
| union ToolBasedDetection
| union PrivEscalation
| union PrivElevationChain
| sort by RiskScore desc, Timestamp descDetects token impersonation and theft across four branches: (1) process handle acquisition to privileged processes (lsass, winlogon, csrss) with token-capable access rights using DeviceEvents OpenProcess telemetry; (2) known token manipulation tool names and post-exploitation CLI patterns (Invoke-TokenManipulation, steal_token, getsystem) via DeviceProcessEvents; (3) high-risk privilege assignment (SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege) to non-system accounts via Security Event 4672; and (4) suspicious parent-child privilege elevation where a non-system process spawns a SYSTEM-context child.
Data Sources
Required Tables
False Positives & Tuning
- Security and EDR products (Microsoft Defender, CrowdStrike, Carbon Black) legitimately open LSASS with high access rights for memory scanning and credential protection — these should be baselined and excluded by InitiatingProcessFileName
- Password managers (1Password, LastPass desktop agents) and credential vaults may access privileged process memory
- Debugging tools (WinDbg, Visual Studio debugger, x64dbg) open process handles with full access rights during legitimate development and security research
- Vulnerability scanners and system inventory tools (Qualys, Tenable, SCCM Hardware Inventory) may enumerate process tokens for asset cataloging
- Legitimate privileged automation scripts run by IT teams using SeImpersonatePrivilege for network share access or service account operations
Other platforms for T1134.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DuplicateToken API Call via PowerShell P/Invoke (Self-Token)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'TokenDup', 'DuplicateToken', 'OpenProcessToken'. Sysmon Event ID 7 (ImageLoad): advapi32.dll and kernel32.dll loaded by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full Add-Type block showing DllImport declarations for advapi32.dll token APIs.
- Test 2LSASS Process Handle Acquisition (Sysmon EventID 10 Trigger)
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=C:\Windows\System32\lsass.exe, GrantedAccess=0x0400, CallTrace will show the call chain through ntdll.dll → kernel32.dll → the powershell.exe process. This is the primary detection event. Security Event ID 4656 (Handle request) may also appear if object access auditing is enabled.
- Test 3ImpersonateLoggedOnUser on Current Process Token
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ImpersonateLoggedOnUser', 'RevertToSelf', 'TokenImp'. PowerShell ScriptBlock Log Event ID 4104 with the full P/Invoke block showing advapi32.dll imports for impersonation APIs. Security Event ID 4672 may fire if the token carries elevated privileges.
- Test 4Invoke-TokenManipulation Enumeration via PowerSploit
Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Invoke-TokenManipulation' and '-Enumerate'. Sysmon Event ID 3: Network connection from powershell.exe to raw.githubusercontent.com on port 443 (for the download). Sysmon Event ID 11: File created at %TEMP%\InvTokMnp.ps1. PowerShell ScriptBlock Log Event ID 4104: multiple events showing the Invoke-TokenManipulation module code and the -Enumerate call. Security Event ID 4672 if the enumeration surfaces elevated token contexts.
References (9)
- https://attack.mitre.org/techniques/T1134/001/
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md
- https://posts.specterops.io/understanding-and-defending-against-access-token-manipulation-ef7d9fa67d50
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1134.001 including response playbook, investigation guide, and atomic red team tests.