T1134.001 Sumo Logic CSE · Sumo

Detect Token Impersonation/Theft in Sumo Logic CSE

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. DuplicateToken or DuplicateTokenEx are used to clone an existing process token, which is then applied to the current thread via ImpersonateLoggedOnUser or SetThreadToken, or used to create a new process via CreateProcessWithTokenW. This allows an adversary to operate under a different security context — typically a higher-privileged user — without needing that user's credentials. Token theft is commonly performed against LSASS, winlogon, explorer.exe, or other processes running as privileged users, and is a core capability of post-exploitation frameworks including Cobalt Strike (steal_token), Metasploit (incognito), Havoc, SILENTTRINITY, and Pupy. Real-world actors including APT28, Emotet, REvil, Tarrask, and FinFisher have all leveraged this technique.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.001 Token Impersonation/Theft
Canonical reference
https://attack.mitre.org/techniques/T1134/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog* OR _sourceCategory=*winlogbeat*)
| parse regex "(?:EventID|EventCode)[^>]*>(?<event_id>\d+)<" nodrop
| parse regex "TargetImage[^>]*>(?<target_image>[^<]+)<" nodrop
| parse regex "SourceImage[^>]*>(?<source_image>[^<]+)<" nodrop
| parse regex "GrantedAccess[^>]*>(?<granted_access>[^<]+)<" nodrop
| parse regex "CallTrace[^>]*>(?<call_trace>[^<]+)<" nodrop
| parse regex "(?:CommandLine|ProcessCommandLine)[^>]*>(?<command_line>[^<]+)<" nodrop
| parse regex "(?:Image|NewProcessName)[^>]*>(?<image_name>[^<]+)<" nodrop
| parse regex "PrivilegeList[^>]*>(?<privilege_list>[^<]+)<" nodrop
| parse regex "SubjectUserName[^>]*>(?<subject_username>[^<]+)<" nodrop
| parse regex "SubjectLogonId[^>]*>(?<subject_logon_id>[^<]+)<" nodrop
| parse regex "ParentImage[^>]*>(?<parent_image>[^<]+)<" nodrop
| where (
    /* Branch 1: Sysmon EventID 10 — process access to privileged targets with token-theft access masks */
    (
      event_id = "10"
      AND (target_image matches "(?i).*\\lsass\.exe$"
        OR target_image matches "(?i).*\\winlogon\.exe$"
        OR target_image matches "(?i).*\\csrss\.exe$"
        OR target_image matches "(?i).*\\services\.exe$"
        OR target_image matches "(?i).*\\wininit\.exe$")
      AND (granted_access = "0x1010" OR granted_access = "0x1fffff" OR granted_access = "0x1f0fff"
        OR granted_access = "0x143a" OR granted_access = "0x0040" OR granted_access = "0x40"
        OR granted_access = "0x1410" OR granted_access = "0x0002" OR granted_access = "0x0004")
      AND !(source_image matches "(?i).*\\(MsMpEng|SenseIR|SenseCE|SecurityHealthService|AzureADConnectAuthenticatio|csrss|smss|wininit)\.exe$")
    )
    OR
    /* Branch 2: Sysmon EventID 1 — token manipulation tool execution or C2 post-exploitation CLI patterns */
    (
      event_id = "1"
      AND (
        image_name matches "(?i).*\\(incognito|tokenvator|tokenduplicator|token_manipulator)\.exe$"
        OR command_line matches "(?i).*(steal_token|impersonate_token|Invoke-TokenManipulation|ImpersonateLoggedOnUser|DuplicateTokenEx|SetThreadToken|getsystem|rev2self|NtFilterToken|SeImpersonatePrivilege).*"
      )
    )
    OR
    /* Branch 3: Windows Security EventID 4672 — high-risk privilege assignment to non-system account */
    (
      event_id = "4672"
      AND privilege_list matches "(?i).*(SeImpersonatePrivilege|SeAssignPrimaryTokenPrivilege|SeTcbPrivilege|SeDebugPrivilege).*"
      AND !(subject_username matches ".*\$"
        OR subject_username in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON"))
      AND !(subject_logon_id in ("0x3e7", "0x3e4", "0x3e5"))
    )
  )
| eval risk_score = if(event_id = "1"
    AND (command_line matches "(?i).*(steal_token|impersonate_token|Invoke-TokenManipulation|DuplicateTokenEx|SetThreadToken|getsystem|rev2self).*"
      OR image_name matches "(?i).*\\(incognito|tokenvator|tokenduplicator|token_manipulator)\.exe$"), 85,
    if(event_id = "10", 70,
      if(event_id = "4672", 60, 50)))
| eval detection_branch = if(event_id = "10", "ProcessAccess_PrivTarget",
    if(event_id = "1", "TokenManip_Tool",
      if(event_id = "4672", "HighRisk_Privilege_Assigned", "Unknown")))
| fields _messageTime, _sourceHost, subject_username, source_image, target_image, image_name, command_line, granted_access, privilege_list, call_trace, detection_branch, risk_score
| sort by risk_score, _messageTime desc
high severity high confidence

Three-branch Sumo Logic detection for T1134.001 using regex field parsing from Sysmon and Windows Security XML event logs. Covers process handle acquisition to LSASS/winlogon with token-capable access masks (Sysmon EventID 10), execution of known token theft tools and post-exploitation CLI strings from Cobalt Strike/Metasploit/PowerSploit (Sysmon EventID 1), and high-risk privilege assignment to interactive non-system accounts (Windows Security EventID 4672). Uses nodrop parse operators for resilience across different log formatters. Dynamic risk scoring: 85 for confirmed tool use, 70 for process access, 60 for privilege assignment.

Data Sources

Sysmon (Microsoft-Windows-Sysmon/Operational) collected via Installed Collector or OpenTelemetryWindows Security Event Log collected via Installed Collector

Required Tables

Sumo Logic raw log index (Windows and Sysmon source categories)

False Positives & Tuning

  • Endpoint security agents including CrowdStrike Falcon sensor, SentinelOne, and Microsoft Defender for Endpoint open LSASS for protection scanning and will trigger Branch 1 — extend source_image exclusion regex with local agent binary paths after confirming with EDR vendor documentation
  • IIS application pool identities, SQL Server service accounts, and scheduled task service accounts legitimately hold SeImpersonatePrivilege by design and will generate continuous Branch 3 alerts on every service start logon — filter using subject_username patterns matching your service account naming standard
  • Red team or purple team exercises using authorized tooling (Cobalt Strike, Havoc, Brute Ratel) on designated test endpoints will produce high-confidence Branch 2 matches — exclude by _sourceHost or apply a lookup table of authorized red team host names
Download portable Sigma rule (.yml)

Other platforms for T1134.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DuplicateToken API Call via PowerShell P/Invoke (Self-Token)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'TokenDup', 'DuplicateToken', 'OpenProcessToken'. Sysmon Event ID 7 (ImageLoad): advapi32.dll and kernel32.dll loaded by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full Add-Type block showing DllImport declarations for advapi32.dll token APIs.

  2. Test 2LSASS Process Handle Acquisition (Sysmon EventID 10 Trigger)

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=C:\Windows\System32\lsass.exe, GrantedAccess=0x0400, CallTrace will show the call chain through ntdll.dll → kernel32.dll → the powershell.exe process. This is the primary detection event. Security Event ID 4656 (Handle request) may also appear if object access auditing is enabled.

  3. Test 3ImpersonateLoggedOnUser on Current Process Token

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'ImpersonateLoggedOnUser', 'RevertToSelf', 'TokenImp'. PowerShell ScriptBlock Log Event ID 4104 with the full P/Invoke block showing advapi32.dll imports for impersonation APIs. Security Event ID 4672 may fire if the token carries elevated privileges.

  4. Test 4Invoke-TokenManipulation Enumeration via PowerSploit

    Expected signal: Sysmon Event ID 1: powershell.exe process with CommandLine containing 'Invoke-TokenManipulation' and '-Enumerate'. Sysmon Event ID 3: Network connection from powershell.exe to raw.githubusercontent.com on port 443 (for the download). Sysmon Event ID 11: File created at %TEMP%\InvTokMnp.ps1. PowerShell ScriptBlock Log Event ID 4104: multiple events showing the Invoke-TokenManipulation module code and the -Enumerate call. Security Event ID 4672 if the enumeration surfaces elevated token contexts.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1134.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1134.004Parent PID SpoofingT1134.005SID-History Injection

Related Techniques

T1134Access Token ManipulationT1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1003.001LSASS MemoryT1055Process InjectionT1548.002Bypass User Account ControlT1078Valid AccountsT1021Remote ServicesT1550.002Pass the Hash

Same Tactic: Defense Evasion

Popular Detections