T1134.003

Make and Impersonate Token

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can create a logon session for the user using the LogonUser function. The function returns a copy of the new session's access token, which the adversary can use with SetThreadToken to assign to a thread. This is distinct from Token Impersonation/Theft (T1134.001) because it creates a new user token rather than stealing or duplicating an existing one. Real-world threat actors including Cobalt Strike operators (make_token), FIN13 (Incognito V2), BlackByte, SILENTTRINITY, and the Mafalda implant use this technique to escalate privileges or move laterally using known credentials without spawning a new interactive session visible to the target user.

Microsoft Sentinel / Defender

kusto

// Branch 1: NewCredentials logon type (LogonType=9) — primary indicator of LogonUser API usage
// LogonType 9 is specifically generated when LogonUser() is called with LOGON32_LOGON_NEW_CREDENTIALS
let SuspiciousCallers = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe"]);
let TokenTools = dynamic(["incognito", "make_token", "invoke-tokenmanipulation", "logonuserw", "logonusera", "tokenvator", "LOGON32_LOGON_NEW_CREDENTIALS", "SetThreadToken", "ImpersonateLoggedOnUser"]);
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 9
| where AccountName !in ("", "-", "ANONYMOUS LOGON")
| where not(ProcessName has_any ("lsass.exe", "winlogon.exe", "services.exe", "svchost.exe"))
| where not(AccountName endswith "$")  // Exclude machine accounts
| extend SuspiciousProcess = ProcessName has_any (SuspiciousCallers)
| extend LogonTypeName = "NewCredentials (Type 9) — LogonUser API"
| project TimeGenerated, Computer, EventID, LogonTypeName, AccountName, AccountDomain,
         SubjectUserName, SubjectDomainName, ProcessName, IpAddress, IpPort,
         LogonGuid, SuspiciousProcess
| union (
    // Branch 2: Explicit credential logon (Event 4648) from interactive/scripting processes
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4648
    | where ProcessName has_any (SuspiciousCallers)
    | where TargetUserName !in ("", "-")
    | where not(SubjectUserName endswith "$")  // Exclude machine accounts
    | project TimeGenerated, Computer, EventID,
             LogonTypeName = "Explicit Credentials (4648)",
             AccountName = TargetUserName, AccountDomain = TargetDomainName,
             SubjectUserName, SubjectDomainName,
             ProcessName, IpAddress = TargetServerName, IpPort = "",
             LogonGuid = TargetInfo, SuspiciousProcess = true
)
| union (
    // Branch 3: Process creation with known token manipulation tool names or API call patterns
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (TokenTools)
       or FileName has_any (["incognito.exe", "tokenvator.exe"])
    | project TimeGenerated = Timestamp, Computer = DeviceName, EventID = 1,
             LogonTypeName = "Token Manipulation Tool Execution",
             AccountName, AccountDomain = "",
             SubjectUserName = InitiatingProcessAccountName, SubjectDomainName = "",
             ProcessName = FileName, IpAddress = "", IpPort = "",
             LogonGuid = "", SuspiciousProcess = true
)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Windows Security Event Log Microsoft Defender for Endpoint Logon Session: Logon Session Creation Process: Process Creation

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

runas /netonly used by IT administrators to run administrative tools under alternate domain credentials generates LogonType 9 events with ProcessName=runas.exe
Password managers and enterprise SSO solutions that call LogonUser internally to validate credentials against Active Directory
SCCM/ConfigMgr, Intune, or BigFix deployment agents that impersonate service account credentials when installing software
Virtualization and remote desktop session brokers (Citrix Virtual Apps, VMware Horizon) that create logon sessions for session routing using stored credentials
Custom line-of-business applications with embedded credential logic using SSPI/LogonUser for application-layer AD authentication

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
  ((EventCode=4624) OR (EventCode=4648))
| eval LogonTypeNum=tonumber(LogonType)
| where (EventCode=4624 AND LogonTypeNum=9) OR EventCode=4648
| eval DetectionBranch=case(
    EventCode=4624 AND LogonTypeNum=9, "NewCredentials_LogonType9",
    EventCode=4648, "ExplicitCredentials_4648",
    true(), "Unknown"
  )
| eval AccountName=coalesce(TargetUserName, AccountName)
| eval AccountDomain=coalesce(TargetDomainName, SubjectDomainName)
| eval CallingProcess=coalesce(ProcessName, SubjectProcessName)
| where NOT (CallingProcess="C:\\Windows\\System32\\lsass.exe"
    OR CallingProcess="C:\\Windows\\System32\\winlogon.exe"
    OR CallingProcess="C:\\Windows\\System32\\services.exe"
    OR CallingProcess="C:\\Windows\\System32\\svchost.exe")
| where NOT match(AccountName, "\$$")
| eval IsInteractiveProcess=if(
    match(lower(CallingProcess), "(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|msbuild\.exe)"),
    1, 0)
| eval SubjectAccountFull=SubjectDomainName+"\\"+SubjectUserName
| eval TargetAccountFull=AccountDomain+"\\"+AccountName
| table _time, host, EventCode, DetectionBranch, SubjectAccountFull, TargetAccountFull,
        CallingProcess, LogonTypeNum, IpAddress, IpPort, IsInteractiveProcess
| sort - _time

high severity high confidence

Data Sources

Windows Security Event Log Logon Session: Logon Session Creation Logon Session: Logon Session Metadata

Required Sourcetypes

WinEventLog:Security

False Positives

runas /netonly used by administrators for alternate-credential domain admin tasks generates LogonType 9 with CallingProcess=runas.exe
Enterprise password managers and credential vault tools that call LogonUser for credential validation
SCCM/ConfigMgr and software deployment platforms using service account impersonation
Remote desktop and VDI session brokers creating logon sessions for user session routing
Custom enterprise applications using SSPI/LogonUser for application-level AD authentication

Elastic Security (EQL)

eql

any where (
  (
    event.code == "4624" and
    winlog.event_data.LogonType == "9" and
    not winlog.event_data.TargetUserName in ("", "-", "ANONYMOUS LOGON") and
    not winlog.event_data.TargetUserName like "*$" and
    not winlog.event_data.ProcessName like~ "*\\lsass.exe" and
    not winlog.event_data.ProcessName like~ "*\\winlogon.exe" and
    not winlog.event_data.ProcessName like~ "*\\services.exe" and
    not winlog.event_data.ProcessName like~ "*\\svchost.exe"
  ) or
  (
    event.code == "4648" and
    not winlog.event_data.SubjectUserName like "*$" and
    winlog.event_data.TargetUserName != "" and
    (
      winlog.event_data.ProcessName like~ "*\\cmd.exe" or
      winlog.event_data.ProcessName like~ "*\\powershell.exe" or
      winlog.event_data.ProcessName like~ "*\\pwsh.exe" or
      winlog.event_data.ProcessName like~ "*\\mshta.exe" or
      winlog.event_data.ProcessName like~ "*\\wscript.exe" or
      winlog.event_data.ProcessName like~ "*\\cscript.exe" or
      winlog.event_data.ProcessName like~ "*\\rundll32.exe" or
      winlog.event_data.ProcessName like~ "*\\regsvr32.exe" or
      winlog.event_data.ProcessName like~ "*\\msbuild.exe"
    )
  ) or
  (
    event.category == "process" and
    (
      process.command_line like~ "*incognito*" or
      process.command_line like~ "*make_token*" or
      process.command_line like~ "*invoke-tokenmanipulation*" or
      process.command_line like~ "*logonuserw*" or
      process.command_line like~ "*logonusera*" or
      process.command_line like~ "*tokenvator*" or
      process.command_line like~ "*SetThreadToken*" or
      process.name like~ "incognito.exe" or
      process.name like~ "tokenvator.exe"
    )
  )
)

high severity high confidence

Data Sources

Windows Security Event Log (winlogbeat or Elastic Agent) Elastic Endpoint (process events)

Required Tables

logs-windows.security-* logs-system.security-* logs-endpoint.events.process-*

False Positives

Privileged Access Management (PAM) tools such as CyberArk PSM, BeyondTrust, and Delinea Secret Server call LogonUser() to verify stored credentials, generating LogonType 9 events from their service processes on a regular basis.
Remote Monitoring and Management (RMM) agents including ConnectWise Automate, Kaseya VSA, and Datto RMM authenticate to managed endpoints using explicit credentials, producing Event 4648 from their agent executable or from cmd.exe/powershell.exe wrappers they spawn.
CI/CD pipeline agents and build automation platforms (MSBuild tasks, Azure DevOps agent, Jenkins agent) that access internal artifact repositories or signing services using stored service account credentials can generate matching 4648 events from msbuild.exe or powershell.exe.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  eventid,
  username,
  "LogonType" AS logon_type,
  "ProcessName" AS calling_process,
  "SubjectUserName" AS subject_user,
  "TargetUserName" AS target_user,
  "SubjectDomainName" AS subject_domain,
  "TargetDomainName" AS target_domain,
  sourceip,
  destinationip,
  CASE
    WHEN eventid = 4624 AND "LogonType" = '9' THEN 'NewCredentials_LogonType9'
    WHEN eventid = 4648 THEN 'ExplicitCredentials_4648'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE LOGSOURCETYPEID(devicetype) IN (12, 253)
  AND (
    (
      eventid = 4624
      AND "LogonType" = '9'
      AND username NOT LIKE '%$'
      AND username NOT IN ('', '-', 'ANONYMOUS LOGON')
      AND "ProcessName" NOT ILIKE '%lsass.exe'
      AND "ProcessName" NOT ILIKE '%winlogon.exe'
      AND "ProcessName" NOT ILIKE '%services.exe'
      AND "ProcessName" NOT ILIKE '%svchost.exe'
    )
    OR
    (
      eventid = 4648
      AND "TargetUserName" NOT IN ('', '-')
      AND "SubjectUserName" NOT LIKE '%$'
      AND (
        "ProcessName" ILIKE '%cmd.exe'
        OR "ProcessName" ILIKE '%powershell.exe'
        OR "ProcessName" ILIKE '%pwsh.exe'
        OR "ProcessName" ILIKE '%mshta.exe'
        OR "ProcessName" ILIKE '%wscript.exe'
        OR "ProcessName" ILIKE '%cscript.exe'
        OR "ProcessName" ILIKE '%rundll32.exe'
        OR "ProcessName" ILIKE '%regsvr32.exe'
        OR "ProcessName" ILIKE '%msbuild.exe'
      )
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log (via QRadar WinCollect or Syslog forwarding) Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Enterprise password vault agents (CyberArk, BeyondTrust, Thycotic) that programmatically call LogonUser() to verify or rotate credentials generate frequent LogonType 9 events from their service host processes.
Service accounts used by IT automation platforms (ServiceNow MID server, SolarWinds Orion, ManageEngine) that authenticate against domain resources using stored credentials produce 4648 events, sometimes from cmd.exe or powershell.exe launcher wrappers.
Software packaging and deployment tools (SCCM/ConfigMgr client, Chocolatey, Ansible WinRM) that run msbuild.exe or powershell.exe to install or configure software under a service account context will match the 4648 branch.

Sumo Logic CSE

sql

(_sourceCategory=*Windows* OR _sourceCategory=*WinEventLog* OR _sourceCategory=*windows/security*)
| where _sourceName matches "*Security*" or _sourceName matches "*security*"
| kv regex "(?s)(\\w+)=([^\r\n]+)" as EventID, LogonType, ProcessName, SubjectUserName, TargetUserName, SubjectDomainName, TargetDomainName, IpAddress nodrop
| where EventID in ("4624", "4648")
| where (EventID == "4624" and LogonType == "9") or EventID == "4648"
| where !matches(ProcessName, "*lsass.exe*")
    and !matches(ProcessName, "*winlogon.exe*")
    and !matches(ProcessName, "*services.exe*")
    and !matches(ProcessName, "*svchost.exe*")
| where !matches(TargetUserName, "*$") and TargetUserName != "" and TargetUserName != "-"
| where !matches(SubjectUserName, "*$")
| eval detection_branch = if(EventID == "4624" and LogonType == "9",
    "NewCredentials_LogonType9",
    if(EventID == "4648", "ExplicitCredentials_4648", "Unknown"))
| eval is_suspicious_process = if(
    matches(ProcessName, "*(cmd.exe|powershell.exe|pwsh.exe|mshta.exe|wscript.exe|cscript.exe|rundll32.exe|regsvr32.exe|msbuild.exe)*"),
    "true", "false")
| table _messageTime, _sourceHost, EventID, detection_branch, SubjectUserName, SubjectDomainName,
    TargetUserName, TargetDomainName, ProcessName, LogonType, IpAddress, is_suspicious_process
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log (via Sumo Logic Installed Collector or syslog forwarding) Sumo Logic Cloud SIEM Enterprise (CSE) normalized Windows events

Required Tables

_sourceCategory=*Windows*Security*

False Positives

Enterprise credential vaulting and PAM solutions (CyberArk Privileged Session Manager, BeyondTrust Password Safe) generate LogonType 9 events continuously as they validate or proxy credentials on behalf of privileged users.
Help desk automation and ITSM integration tools that run scripts under alternate user contexts using stored credentials produce 4648 events, frequently from powershell.exe or cmd.exe invoked by the service.
Security scanning and vulnerability assessment tools (Nessus, Rapid7 InsightVM) that perform authenticated scans using domain credentials supplied in the scan policy generate 4648 events from their scan agents on each target host.

Google Chronicle / SecOps

yaral

rule t1134_003_make_and_impersonate_token {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1134.003 Make and Impersonate Token via LogonType 9 (NewCredentials — LogonUser() API fingerprint) or explicit credential logons from suspicious scripting processes, plus process launches matching known token manipulation tooling (Cobalt Strike make_token, Incognito v2, Tokenvator, SILENTTRINITY)."
    reference = "https://attack.mitre.org/techniques/T1134/003/"
    severity = "HIGH"
    mitre_attack_tactic = "Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1134.003"
    created = "2026-04-20"
    confidence = "high"

  events:
    (
      $e.metadata.event_type = "USER_LOGIN"
      and (
        (
          $e.metadata.product_event_type = "4624"
          and $e.extensions.auth.auth_details = "9"
        )
        or
        (
          $e.metadata.product_event_type = "4648"
          and re.regex(
            $e.principal.process.file.full_path,
            `(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|rundll32|regsvr32|msbuild)\.exe$`
          )
          and not re.regex($e.principal.user.userid, `\$$`)
        )
      )
      and not re.regex($e.target.user.userid, `\$$`)
      and not $e.target.user.userid = ""
      and not $e.target.user.userid = "-"
      and not $e.target.user.userid = "ANONYMOUS LOGON"
      and not re.regex(
        $e.principal.process.file.full_path,
        `(?i)(lsass|winlogon|services|svchost)\.exe$`
      )
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex(
          $e.target.process.command_line,
          `(?i)(incognito|make_token|invoke-tokenmanipulation|logonuserw|logonusera|tokenvator|SetThreadToken|ImpersonateLoggedOnUser|LOGON32_LOGON_NEW_CREDENTIALS)`
        )
        or re.regex(
          $e.target.process.file.full_path,
          `(?i)(incognito|tokenvator)\.exe$`
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Security Event Log via Chronicle forwarder (WINDOWS_AD or custom parser) Chronicle UDM (Unified Data Model)

Required Tables

events (UDM)

False Positives

Privileged identity management platforms that use LogonUser() API calls to validate or proxy credentials (CyberArk, Delinea, BeyondTrust) generate USER_LOGIN events with auth_details='9' from their service processes on every credential check.
Configuration management agents and infrastructure automation tools (Puppet agent, Chef client, Ansible on Windows) that execute tasks under alternate user contexts using explicit credentials match the 4648 branch from powershell.exe or cmd.exe.
Red team simulation platforms (Atomic Red Team, AttackIQ, Cymulate) that run authorized T1134.003 simulations will match all branches; correlate with change records and testing windows to distinguish authorized activity.

Last updated: 2026-04-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/Theft T1134.002Create Process with Token T1134.004Parent PID Spoofing T1134.005SID-History Injection

Make and Impersonate Token

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections