title: Make and Impersonate Token (T1134.003)
id: df00tech-t1134-003
status: experimental
description: "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can create a logon session for the user using the LogonUser function. The function returns a copy of the new session's access token, which the adversary can use with SetThreadToken to assign to a thread. This is distinct from Token Impersonation/Theft (T1134.001) because it creates a new user token rather than stealing or duplicating an existing one. Real-world threat actors including Cobalt Strike operators (make_token), FIN13 (Incognito V2), BlackByte, SILENTTRINITY, and the Mafalda implant use this technique to escalate privileges or move laterally using known credentials without spawning a new interactive session visible to the target user."
references:
  - https://attack.mitre.org/techniques/T1134/003/
  - https://df00tech.com/detections/T1134.003
author: df00tech
date: 2026/04/20
tags:
  - attack.t1134.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - runas /netonly used by IT administrators to run administrative tools under alternate domain credentials generates LogonType 9 events with ProcessName=runas.exe
  - Password managers and enterprise SSO solutions that call LogonUser internally to validate credentials against Active Directory
  - "SCCM/ConfigMgr, Intune, or BigFix deployment agents that impersonate service account credentials when installing software"
  - "Virtualization and remote desktop session brokers (Citrix Virtual Apps, VMware Horizon) that create logon sessions for session routing using stored credentials"
  - Custom line-of-business applications with embedded credential logic using SSPI/LogonUser for application-layer AD authentication
level: high