T1134.003 Elastic Security · Elastic

Detect Make and Impersonate Token in Elastic Security

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can create a logon session for the user using the LogonUser function. The function returns a copy of the new session's access token, which the adversary can use with SetThreadToken to assign to a thread. This is distinct from Token Impersonation/Theft (T1134.001) because it creates a new user token rather than stealing or duplicating an existing one. Real-world threat actors including Cobalt Strike operators (make_token), FIN13 (Incognito V2), BlackByte, SILENTTRINITY, and the Mafalda implant use this technique to escalate privileges or move laterally using known credentials without spawning a new interactive session visible to the target user.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.003 Make and Impersonate Token
Canonical reference
https://attack.mitre.org/techniques/T1134/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where (
  (
    event.code == "4624" and
    winlog.event_data.LogonType == "9" and
    not winlog.event_data.TargetUserName in ("", "-", "ANONYMOUS LOGON") and
    not winlog.event_data.TargetUserName like "*$" and
    not winlog.event_data.ProcessName like~ "*\\lsass.exe" and
    not winlog.event_data.ProcessName like~ "*\\winlogon.exe" and
    not winlog.event_data.ProcessName like~ "*\\services.exe" and
    not winlog.event_data.ProcessName like~ "*\\svchost.exe"
  ) or
  (
    event.code == "4648" and
    not winlog.event_data.SubjectUserName like "*$" and
    winlog.event_data.TargetUserName != "" and
    (
      winlog.event_data.ProcessName like~ "*\\cmd.exe" or
      winlog.event_data.ProcessName like~ "*\\powershell.exe" or
      winlog.event_data.ProcessName like~ "*\\pwsh.exe" or
      winlog.event_data.ProcessName like~ "*\\mshta.exe" or
      winlog.event_data.ProcessName like~ "*\\wscript.exe" or
      winlog.event_data.ProcessName like~ "*\\cscript.exe" or
      winlog.event_data.ProcessName like~ "*\\rundll32.exe" or
      winlog.event_data.ProcessName like~ "*\\regsvr32.exe" or
      winlog.event_data.ProcessName like~ "*\\msbuild.exe"
    )
  ) or
  (
    event.category == "process" and
    (
      process.command_line like~ "*incognito*" or
      process.command_line like~ "*make_token*" or
      process.command_line like~ "*invoke-tokenmanipulation*" or
      process.command_line like~ "*logonuserw*" or
      process.command_line like~ "*logonusera*" or
      process.command_line like~ "*tokenvator*" or
      process.command_line like~ "*SetThreadToken*" or
      process.name like~ "incognito.exe" or
      process.name like~ "tokenvator.exe"
    )
  )
)
high severity high confidence

Detects T1134.003 Make and Impersonate Token across three branches: (1) Windows Security Event 4624 with LogonType 9 (NewCredentials) — the specific logon type generated by LogonUser() API calls used to create impersonation tokens without spawning an interactive session; (2) Event 4648 (explicit credential logon) invoked from known scripting interpreters and LOLBins such as cmd.exe, PowerShell, mshta, wscript, cscript, rundll32, regsvr32, and msbuild; (3) process command lines or executable names matching known token manipulation tooling including Cobalt Strike make_token, Incognito v2, Tokenvator, and direct Windows API references. Machine accounts and known-benign system processes are excluded.

Data Sources

Windows Security Event Log (winlogbeat or Elastic Agent)Elastic Endpoint (process events)

Required Tables

logs-windows.security-*logs-system.security-*logs-endpoint.events.process-*

False Positives & Tuning

  • Privileged Access Management (PAM) tools such as CyberArk PSM, BeyondTrust, and Delinea Secret Server call LogonUser() to verify stored credentials, generating LogonType 9 events from their service processes on a regular basis.
  • Remote Monitoring and Management (RMM) agents including ConnectWise Automate, Kaseya VSA, and Datto RMM authenticate to managed endpoints using explicit credentials, producing Event 4648 from their agent executable or from cmd.exe/powershell.exe wrappers they spawn.
  • CI/CD pipeline agents and build automation platforms (MSBuild tasks, Azure DevOps agent, Jenkins agent) that access internal artifact repositories or signing services using stored service account credentials can generate matching 4648 events from msbuild.exe or powershell.exe.
Download portable Sigma rule (.yml)

Other platforms for T1134.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Make Token via runas /netonly (LogonType 9 Baseline Test)

    Expected signal: Security Event 4624 (LogonType=9, NewCredentials): SubjectUserName=<current user>, TargetUserName=dftest, TargetDomainName=<domain>, ProcessName=C:\Windows\System32\runas.exe, LogonType=9. Sysmon Event 1: runas.exe process creation with CommandLine containing '/netonly'. A UAC credential dialog will appear requesting the password for dftest — enter any value; the LogonType 9 event fires regardless of password correctness because validation is deferred.

  2. Test 2Make Token via PowerShell P/Invoke LogonUser API Call

    Expected signal: Security Event 4624 (LogonType=9) or 4625 (failed logon): AccountName=dftest, LogonType=9, ProcessName contains powershell.exe. Sysmon Event 1: powershell.exe CommandLine containing 'LogonUserW', 'advapi32', 'T1134003Test'. PowerShell ScriptBlock Log Event 4104: full Add-Type DllImport definition captured. Even if 4625 (failure) fires instead of 4624, the LogonType=9 attribute is still present in the event.

  3. Test 3Invoke-TokenManipulation Enumerate Available Tokens

    Expected signal: Sysmon Event 1: powershell.exe with CommandLine containing 'Invoke-TokenManipulation', 'make_token'. PowerShell ScriptBlock Log Event 4104: captures the Invoke-Expression and function definition. No Security Event 4624/4648 fires unless -CreateProcess or -Username with credentials is used — this tests the command-line-pattern detection branch only.

  4. Test 4Explicit Credential Network Authentication (Event 4648 Test)

    Expected signal: Security Event 4648: SubjectUserName=<current user>, TargetUserName=dftest, TargetServerName=127.0.0.1, ProcessName=cmd.exe. Security Event 4625 (failed logon) with LogonType=3 if password is wrong. Sysmon Event 3: network connection from cmd.exe to 127.0.0.1:445 (SMB). This specifically exercises the Event 4648 detection branch where the calling process is an interactive shell — the highest-confidence signal for lateral movement using explicit credentials.

Last updated: 2026-04-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1134.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.004Parent PID SpoofingT1134.005SID-History Injection

Related Techniques

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.004Parent PID SpoofingT1550.002Pass the HashT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1078Valid AccountsT1110.003Password Spraying

Same Tactic: Defense Evasion

Popular Detections