Detect Access Token Manipulation in IBM QRadar
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes (token stealing) and either apply them to an existing process or spawn a new one. An adversary must already be in a privileged user context to steal a token, but commonly uses token stealing to escalate from administrator to SYSTEM. Any standard user can use the runas command and Windows API functions to create impersonation tokens without administrator access.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Canonical reference
- https://attack.mitre.org/techniques/T1134/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
devicehostname AS host,
username AS account_name,
"Process Image" AS process_image,
"Command Line" AS command_line,
"Parent Image" AS parent_process,
CASE
WHEN LOWER("Process Image") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)'
OR LOWER("Command Line") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)'
THEN 'KnownTokenTool'
WHEN LOWER("Process Image") MATCHES '(powershell\.exe|pwsh\.exe)'
AND LOWER("Command Line") MATCHES '(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|sedebugprivilege|seassignprimarytokenprivilege)'
THEN 'PowerShellTokenAbuse'
WHEN QIDNAME(qid) = 'Special privileges assigned to new logon'
AND NOT username MATCHES '.*\$$'
AND NOT LOWER(username) IN ('system', 'local service', 'network service')
AND NOT LOWER(username) MATCHES '(dwm-|umfd-)'
AND "Privilege List" MATCHES '(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)'
THEN 'SuspiciousPrivilegeAssignment'
ELSE 'unknown'
END AS detection_type,
logsourcename(logsourceid) AS log_source
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 14, 67, 233)
AND starttime > NOW() - 24 HOURS
AND (
LOWER("Process Image") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)'
OR LOWER("Command Line") MATCHES '(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)'
OR (
LOWER("Process Image") MATCHES '(powershell\.exe|pwsh\.exe)'
AND LOWER("Command Line") MATCHES '(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|sedebugprivilege|seassignprimarytokenprivilege)'
)
OR (
QIDNAME(qid) = 'Special privileges assigned to new logon'
AND NOT username MATCHES '.*\$$'
AND NOT LOWER(username) IN ('system', 'local service', 'network service')
AND NOT LOWER(username) MATCHES '(dwm-|umfd-)'
AND "Privilege List" MATCHES '(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)'
)
)
AND detection_type != 'unknown'
ORDER BY starttime DESCQRadar AQL detection for Windows access token manipulation. Queries process creation events from Windows Security/Sysmon log sources and correlates known token abuse tool names, PowerShell-based token API calls, and suspicious privilege assignments (Event ID 4672 equivalent). Uses LOGSOURCETYPEID filtering for Windows event log sources and QIDNAME for semantic event matching.
Data Sources
Required Tables
False Positives & Tuning
- Service accounts for enterprise backup solutions (e.g., Veeam, Commvault) that legitimately hold SeDebugPrivilege will generate SuspiciousPrivilegeAssignment alerts — add those account names to an exclusion reference set.
- Authorized red team or vulnerability assessment activities using commercial tools that enumerate or test token privileges.
- Developer workstations running Visual Studio debugger or WinDbg under a user context, which may briefly require SeDebugPrivilege for attaching to processes.
Other platforms for T1134
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Invoke-TokenManipulation via PowerSploit
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-TokenManipulation' and 'Net.WebClient'. Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104 with the full Invoke-TokenManipulation script content after download. Security Event 4672 may fire if the token enumeration triggers a privilege check.
- Test 2AdjustTokenPrivileges — Enable SeDebugPrivilege via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'AdjustTokenPrivileges', 'OpenProcessToken', 'LookupPrivilegeValue', and 'SeDebugPrivilege'. PowerShell ScriptBlock Log Event ID 4104 with the P/Invoke code. Security Event 4672 may fire once the privilege adjustment is applied to the current process token.
- Test 3PrintSpoofer — SeImpersonatePrivilege Abuse to SYSTEM
Expected signal: Sysmon Event ID 1: Process Create for PrintSpoofer64.exe with CommandLine '-i -c whoami'. Sysmon Event ID 1: Child process cmd.exe or whoami.exe spawned from PrintSpoofer64.exe running as NT AUTHORITY\SYSTEM. System Event 7045 (Service Control Manager): a transient service briefly installed by PrintSpoofer to coerce the spooler token. Sysmon Event ID 3: Named pipe connection from PrintSpoofer to the spooler pipe.
- Test 4RunAs with Explicit Credentials — Token Creation via LogonUser
Expected signal: Security Event 4648: Logon Using Explicit Credentials — records the calling process (cmd.exe), the target account (testuser), and the logon GUID. Security Event 4624: New Logon with LogonType=2 (interactive) for the new session. Sysmon Event ID 1: cmd.exe spawned with runas as parent, running in the context of testuser. Security Event 4672 if testuser holds special privileges.
References (12)
- https://attack.mitre.org/techniques/T1134/
- https://pentestlab.blog/2017/04/03/token-manipulation/
- https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf
- https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocesstoken
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
- https://github.com/itm4n/PrintSpoofer
- https://github.com/ohpe/juicy-potato
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
Unlock Pro Content
Get the full detection package for T1134 including response playbook, investigation guide, and atomic red team tests.