T1134 Splunk · SPL

Detect Access Token Manipulation in Splunk

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes (token stealing) and either apply them to an existing process or spawn a new one. An adversary must already be in a privileged user context to steal a token, but commonly uses token stealing to escalate from administrator to SYSTEM. Any standard user can use the runas command and Windows API functions to create impersonation tokens without administrator access.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1134/

SPL Detection Query

Splunk (SPL)
spl 
(
  (index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672)
)
| eval AccountName=coalesce(User, SubjectUserName)
| eval ProcessImage=coalesce(Image, "N/A")
| eval CmdLine=coalesce(CommandLine, PrivilegeList, "N/A")
| eval ParentProcess=coalesce(ParentImage, "N/A")
| eval IsKnownTokenTool=if(
    match(lower(ProcessImage), "(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|rottenpotatong|incognito|tokenvator)") OR
    match(lower(CmdLine), "(juicypotato|printspoofer|sweetpotato|godpotato|roguewinrm|incognito|tokenvator)"),
    1, 0)
| eval IsPSTokenAbuse=if(
    EventCode=1 AND (match(lower(ProcessImage), "(powershell\.exe|pwsh\.exe)")) AND
    match(lower(CmdLine), "(invoke-tokenmanipulation|get-securitytoken|duplicatetokenex|openprocesstoken|adjusttokenprivileges|createprocesswithtoken|impersonateloggedonuser|setthreadtoken|ntimpersonatethread|invoke-runas|seimpersonateprivilege|sedebugprivilege)"),
    1, 0)
| eval IsSuspiciousPrivilege=if(
    EventCode=4672 AND
    NOT match(AccountName, "\\$$") AND
    NOT match(lower(AccountName), "(system|local service|network service|dwm-|umfd-)") AND
    match(CmdLine, "(?i)(sedebugprivilege|seassignprimarytokenprivilege|setcbprivilege|secreatetokenprivilege)"),
    1, 0)
| eval DetectionType=case(
    IsKnownTokenTool=1, "KnownTokenTool",
    IsPSTokenAbuse=1, "PowerShellTokenAbuse",
    IsSuspiciousPrivilege=1, "SuspiciousPrivilegeAssignment",
    true(), "unknown")
| where DetectionType != "unknown"
| eval SuspicionScore=IsKnownTokenTool + IsPSTokenAbuse + IsSuspiciousPrivilege
| table _time, host, AccountName, ProcessImage, CmdLine, ParentProcess, DetectionType, SuspicionScore
| sort - _time
high severity high confidence

Detects Access Token Manipulation across Sysmon process creation (Event ID 1) and Windows Security privilege assignment (Event ID 4672). Evaluates three detection branches: known token theft utilities by name or command line, PowerShell invoking token manipulation APIs (DuplicateTokenEx, AdjustTokenPrivileges, CreateProcessWithToken, ImpersonateLoggedOnUser), and accounts receiving high-risk privileges (SeDebugPrivilege, SeAssignPrimaryTokenPrivilege, SeTcbPrivilege) outside normal service account patterns. A SuspicionScore is computed to help prioritize events where multiple indicators co-occur.

Data Sources

Process: Process CreationWindows Security Event LogSysmon Event ID 1Sysmon Event ID 10

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate penetration testing tools or red team exercises using Invoke-TokenManipulation or JuicyPotato on authorized engagements
  • System administrators using runas or token manipulation for legitimate privileged tasks with corresponding change tickets
  • Security software (EDR agents, vulnerability scanners, PAM solutions) that legitimately hold SeDebugPrivilege for process inspection
  • Windows services running as NETWORK SERVICE or LOCAL SERVICE that receive SeImpersonatePrivilege by design (IIS application pools, SQL Server, etc.)
  • Domain controllers where SeDebugPrivilege is legitimately assigned to elevated administrator accounts
Download portable Sigma rule (.yml)

Other platforms for T1134

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Invoke-TokenManipulation via PowerSploit

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-TokenManipulation' and 'Net.WebClient'. Sysmon Event ID 3: Network connection to raw.githubusercontent.com. PowerShell ScriptBlock Log Event ID 4104 with the full Invoke-TokenManipulation script content after download. Security Event 4672 may fire if the token enumeration triggers a privilege check.

  2. Test 2AdjustTokenPrivileges — Enable SeDebugPrivilege via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'AdjustTokenPrivileges', 'OpenProcessToken', 'LookupPrivilegeValue', and 'SeDebugPrivilege'. PowerShell ScriptBlock Log Event ID 4104 with the P/Invoke code. Security Event 4672 may fire once the privilege adjustment is applied to the current process token.

  3. Test 3PrintSpoofer — SeImpersonatePrivilege Abuse to SYSTEM

    Expected signal: Sysmon Event ID 1: Process Create for PrintSpoofer64.exe with CommandLine '-i -c whoami'. Sysmon Event ID 1: Child process cmd.exe or whoami.exe spawned from PrintSpoofer64.exe running as NT AUTHORITY\SYSTEM. System Event 7045 (Service Control Manager): a transient service briefly installed by PrintSpoofer to coerce the spooler token. Sysmon Event ID 3: Named pipe connection from PrintSpoofer to the spooler pipe.

  4. Test 4RunAs with Explicit Credentials — Token Creation via LogonUser

    Expected signal: Security Event 4648: Logon Using Explicit Credentials — records the calling process (cmd.exe), the target account (testuser), and the logon GUID. Security Event 4624: New Logon with LogonType=2 (interactive) for the new session. Sysmon Event ID 1: cmd.exe spawned with runas as parent, running in the context of testuser. Security Event 4672 if testuser holds special privileges.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1134 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1134.001Token Impersonation/TheftT1134.002Create Process with TokenT1134.003Make and Impersonate TokenT1134.004Parent PID SpoofingT1134.005SID-History InjectionT1055Process InjectionT1003OS Credential DumpingT1548.002Bypass User Account ControlT1068Exploitation for Privilege EscalationT1078Valid Accounts

Same Tactic: Defense Evasion

Popular Detections