title: Access Token Manipulation (T1134)
id: df00tech-t1134
status: experimental
description: "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. An adversary can use built-in Windows API functions to copy access tokens from existing processes (token stealing) and either apply them to an existing process or spawn a new one. An adversary must already be in a privileged user context to steal a token, but commonly uses token stealing to escalate from administrator to SYSTEM. Any standard user can use the runas command and Windows API functions to create impersonation tokens without administrator access."
references:
  - https://attack.mitre.org/techniques/T1134/
  - https://df00tech.com/detections/T1134
author: df00tech
date: 2026/04/18
tags:
  - attack.t1134
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate penetration testing tools or red team exercises using Invoke-TokenManipulation or JuicyPotato on authorized engagements
  - System administrators using runas or token manipulation for legitimate privileged tasks with corresponding change tickets
  - "Security software (EDR agents, vulnerability scanners, PAM solutions) that legitimately hold SeDebugPrivilege for process inspection"
  - "Windows services running as NETWORK SERVICE or LOCAL SERVICE that receive SeImpersonatePrivilege by design (IIS application pools, SQL Server, etc.)"
  - Domain controllers where SeDebugPrivilege is legitimately assigned to elevated administrator accounts
level: high