Detect Make and Impersonate Token in Microsoft Sentinel
Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can create a logon session for the user using the LogonUser function. The function returns a copy of the new session's access token, which the adversary can use with SetThreadToken to assign to a thread. This is distinct from Token Impersonation/Theft (T1134.001) because it creates a new user token rather than stealing or duplicating an existing one. Real-world threat actors including Cobalt Strike operators (make_token), FIN13 (Incognito V2), BlackByte, SILENTTRINITY, and the Mafalda implant use this technique to escalate privileges or move laterally using known credentials without spawning a new interactive session visible to the target user.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.003 Make and Impersonate Token
- Canonical reference
- https://attack.mitre.org/techniques/T1134/003/
KQL Detection Query
// Branch 1: NewCredentials logon type (LogonType=9) — primary indicator of LogonUser API usage
// LogonType 9 is specifically generated when LogonUser() is called with LOGON32_LOGON_NEW_CREDENTIALS
let SuspiciousCallers = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "msbuild.exe"]);
let TokenTools = dynamic(["incognito", "make_token", "invoke-tokenmanipulation", "logonuserw", "logonusera", "tokenvator", "LOGON32_LOGON_NEW_CREDENTIALS", "SetThreadToken", "ImpersonateLoggedOnUser"]);
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4624
| where LogonType == 9
| where AccountName !in ("", "-", "ANONYMOUS LOGON")
| where not(ProcessName has_any ("lsass.exe", "winlogon.exe", "services.exe", "svchost.exe"))
| where not(AccountName endswith "$") // Exclude machine accounts
| extend SuspiciousProcess = ProcessName has_any (SuspiciousCallers)
| extend LogonTypeName = "NewCredentials (Type 9) — LogonUser API"
| project TimeGenerated, Computer, EventID, LogonTypeName, AccountName, AccountDomain,
SubjectUserName, SubjectDomainName, ProcessName, IpAddress, IpPort,
LogonGuid, SuspiciousProcess
| union (
// Branch 2: Explicit credential logon (Event 4648) from interactive/scripting processes
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4648
| where ProcessName has_any (SuspiciousCallers)
| where TargetUserName !in ("", "-")
| where not(SubjectUserName endswith "$") // Exclude machine accounts
| project TimeGenerated, Computer, EventID,
LogonTypeName = "Explicit Credentials (4648)",
AccountName = TargetUserName, AccountDomain = TargetDomainName,
SubjectUserName, SubjectDomainName,
ProcessName, IpAddress = TargetServerName, IpPort = "",
LogonGuid = TargetInfo, SuspiciousProcess = true
)
| union (
// Branch 3: Process creation with known token manipulation tool names or API call patterns
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (TokenTools)
or FileName has_any (["incognito.exe", "tokenvator.exe"])
| project TimeGenerated = Timestamp, Computer = DeviceName, EventID = 1,
LogonTypeName = "Token Manipulation Tool Execution",
AccountName, AccountDomain = "",
SubjectUserName = InitiatingProcessAccountName, SubjectDomainName = "",
ProcessName = FileName, IpAddress = "", IpPort = "",
LogonGuid = "", SuspiciousProcess = true
)
| sort by TimeGenerated descDetects Make and Impersonate Token (T1134.003) via three complementary branches: (1) Security Event 4624 with LogonType=9 (NewCredentials) — the definitive indicator of LogonUser API calls that create a token from known credentials without immediately authenticating to a domain controller; this is precisely the logon type generated by Cobalt Strike make_token and SILENTTRINITY; (2) Security Event 4648 (explicit credential logon) from interactive and scripting processes that are not expected to authenticate on behalf of other users; (3) DeviceProcessEvents matching known token manipulation tooling including Incognito, Tokenvator, and API call pattern strings. LogonType 9 is the highest-fidelity indicator and should be prioritized.
Data Sources
Required Tables
False Positives & Tuning
- runas /netonly used by IT administrators to run administrative tools under alternate domain credentials generates LogonType 9 events with ProcessName=runas.exe
- Password managers and enterprise SSO solutions that call LogonUser internally to validate credentials against Active Directory
- SCCM/ConfigMgr, Intune, or BigFix deployment agents that impersonate service account credentials when installing software
- Virtualization and remote desktop session brokers (Citrix Virtual Apps, VMware Horizon) that create logon sessions for session routing using stored credentials
- Custom line-of-business applications with embedded credential logic using SSPI/LogonUser for application-layer AD authentication
Other platforms for T1134.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Make Token via runas /netonly (LogonType 9 Baseline Test)
Expected signal: Security Event 4624 (LogonType=9, NewCredentials): SubjectUserName=<current user>, TargetUserName=dftest, TargetDomainName=<domain>, ProcessName=C:\Windows\System32\runas.exe, LogonType=9. Sysmon Event 1: runas.exe process creation with CommandLine containing '/netonly'. A UAC credential dialog will appear requesting the password for dftest — enter any value; the LogonType 9 event fires regardless of password correctness because validation is deferred.
- Test 2Make Token via PowerShell P/Invoke LogonUser API Call
Expected signal: Security Event 4624 (LogonType=9) or 4625 (failed logon): AccountName=dftest, LogonType=9, ProcessName contains powershell.exe. Sysmon Event 1: powershell.exe CommandLine containing 'LogonUserW', 'advapi32', 'T1134003Test'. PowerShell ScriptBlock Log Event 4104: full Add-Type DllImport definition captured. Even if 4625 (failure) fires instead of 4624, the LogonType=9 attribute is still present in the event.
- Test 3Invoke-TokenManipulation Enumerate Available Tokens
Expected signal: Sysmon Event 1: powershell.exe with CommandLine containing 'Invoke-TokenManipulation', 'make_token'. PowerShell ScriptBlock Log Event 4104: captures the Invoke-Expression and function definition. No Security Event 4624/4648 fires unless -CreateProcess or -Username with credentials is used — this tests the command-line-pattern detection branch only.
- Test 4Explicit Credential Network Authentication (Event 4648 Test)
Expected signal: Security Event 4648: SubjectUserName=<current user>, TargetUserName=dftest, TargetServerName=127.0.0.1, ProcessName=cmd.exe. Security Event 4625 (failed logon) with LogonType=3 if password is wrong. Sysmon Event 3: network connection from cmd.exe to 127.0.0.1:445 (SMB). This specifically exercises the Event 4648 detection branch where the calling process is an interactive shell — the highest-confidence signal for lateral movement using explicit credentials.
References (10)
- https://attack.mitre.org/techniques/T1134/003/
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadtoken
- https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
- https://www.cobaltstrike.com/blog/windows-access-tokens-and-alternate-credentials
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.003/T1134.003.md
Unlock Pro Content
Get the full detection package for T1134.003 including response playbook, investigation guide, and atomic red team tests.