title: Token Impersonation/Theft (T1134.001)
id: df00tech-t1134-001
status: experimental
description: "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. DuplicateToken or DuplicateTokenEx are used to clone an existing process token, which is then applied to the current thread via ImpersonateLoggedOnUser or SetThreadToken, or used to create a new process via CreateProcessWithTokenW. This allows an adversary to operate under a different security context — typically a higher-privileged user — without needing that user's credentials. Token theft is commonly performed against LSASS, winlogon, explorer.exe, or other processes running as privileged users, and is a core capability of post-exploitation frameworks including Cobalt Strike (steal_token), Metasploit (incognito), Havoc, SILENTTRINITY, and Pupy. Real-world actors including APT28, Emotet, REvil, Tarrask, and FinFisher have all leveraged this technique."
references:
  - https://attack.mitre.org/techniques/T1134/001/
  - https://df00tech.com/detections/T1134.001
author: df00tech
date: 2026/04/18
tags:
  - attack.t1134.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security and EDR products (Microsoft Defender, CrowdStrike, Carbon Black) legitimately open LSASS with high access rights for memory scanning and credential protection — these should be baselined and excluded by InitiatingProcessFileName"
  - "Password managers (1Password, LastPass desktop agents) and credential vaults may access privileged process memory"
  - "Debugging tools (WinDbg, Visual Studio debugger, x64dbg) open process handles with full access rights during legitimate development and security research"
  - "Vulnerability scanners and system inventory tools (Qualys, Tenable, SCCM Hardware Inventory) may enumerate process tokens for asset cataloging"
  - Legitimate privileged automation scripts run by IT teams using SeImpersonatePrivilege for network share access or service account operations
level: high