What is access token manipulation (T1134)?

MITRE ATT&CK® Access Token Manipulation (T1134) describes techniques where adversaries manipulate Windows access tokens to operate under a different user identity, escalate privileges, or evade detection. Access tokens are security objects that define the privilege set and group memberships of a running process or thread. By stealing or forging them, an attacker can impersonate any logged-in user, including SYSTEM, without knowing their password.

T1134 is a privilege escalation technique closely related to token manipulation patterns frequently observed in post-exploitation frameworks such as Metasploit, Cobalt Strike, and custom malware. It is distinct from credential-based attacks: no password is required and only access to a process whose token can be duplicated or impersonated.

T1134 in the ATT&CK chain: T1134 is classified under TA0004 — Privilege Escalation. It typically occurs after an attacker has initial access and a foothold on a Windows host. Successful token manipulation enables SYSTEM-level access, which then enables lateral movement (TA0008), credential dumping, and persistent access through malicious service creation (T1543).

T1134 sub-techniques

T1134 encompasses five sub-techniques, each targeting a different aspect of the Windows token model. Log360 detection coverage spans the highest-impact sub-techniques through Windows Security Event Logs and Sysmon telemetry:

Sub-technique Description Key prerequisite Log360 coverage
Token impersonation/theft (T1134.001) Duplicates an existing token from another process (e.g., SYSTEM) and uses it to spawn a new process. Foundation of Potato attacks. SeImpersonatePrivilege or SeDebugPrivilege Event ID 4672, 4673, Sysmon Event ID 10 (ProcessAccess)
Create process with token (T1134.002) Uses Windows APIs (CreateProcessWithTokenW, CreateProcessAsUserW) to spawn a process under a stolen token's identity SeAssignPrimaryTokenPrivilege or elevated access Event ID 4688 (process creation under different account than parent), Sysmon Event ID 1
Make and impersonate token (T1134.003) Creates a new token using LogonUser API with known credentials, then impersonates it, without establishing a full network logon session SeImpersonatePrivilege Event ID 4624 logon type 9 (NewCredentials), custom rule recommended for LogonUser API monitoring
Parent PID spoofing (T1134.004) Creates a process specifying a false parent PID, making malicious processes appear as children of legitimate processes (e.g., spawning malware as a child of explorer.exe) OpenProcess access to the spoofed parent PID Sysmon Event ID 1 (parent-child PID mismatch detection)
SID-history injection (T1134.005) Adds a privileged SID (e.g., Enterprise Admins) to an account's SID-history attribute in Active Directory, granting AD permissions without group membership Domain Admin or equivalent AD write access Event ID 4765 (SID history added), 4766 (SID history add failed), AD Security Event Logs

How attackers use T1134

T1134 attacks are typically executed post-initial-access, after an attacker has established a foothold on a Windows host with at least low-privilege access. The attack progression follows a consistent pattern:

  1. Identify available tokens: The attacker uses tools like Incognito (Metasploit module), TokenPlayer, or Cobalt Strike's steal_token command to enumerate available tokens on the compromised host. Any logged-in user's token, including SYSTEM, NETWORK SERVICE, or domain accounts, which is a potential target if the attacker holds SeImpersonatePrivilege.
  2. Steal or duplicate the target token: Using Windows API calls (OpenProcessToken, DuplicateToken, ImpersonateLoggedOnUser), the attacker duplicates the target token. No authentication occurs as the attacker inherits the security context of the token's original owner without credentials.
  3. Execute under the stolen identity: The attacker uses CreateProcessWithTokenW to spawn a new process, typically cmd.exe or PowerShell, running under the stolen SYSTEM or privileged user token. From this point, the attacker operates with full privileges of the impersonated account.
  4. Escalate and persist: With SYSTEM access, the attacker installs malicious services, disables security tools, dumps credentials from LSASS, and prepares for lateral movement using alternate authentication material (T1550). Remote services (T1021) are commonly abused using credentials obtained after achieving SYSTEM.

T1134 access token manipulation — real-world attack examples

  • Potato attacks (T1134.001): JuicyPotato, PrintSpoofer, RoguePotato, and GodPotato are a family of tools that exploit SeImpersonatePrivilege, granted by default to LOCAL SERVICE, IIS app pools, and SQL Server service accounts, to coerce SYSTEM token impersonation. Widely used to escalate from a compromised web server or database account to SYSTEM. Detectable via named pipe creation anomalies and the resulting SYSTEM process spawned from a non-SYSTEM parent.
  • Cobalt Strike token impersonation: Cobalt Strike's steal_token and make_token commands are among the most frequently observed T1134 implementations in red team operations and real-world incidents. steal_token duplicates an existing process token; make_token creates a new impersonation token with supplied credentials using LogonUser API.
  • SID-history injection in AD attacks (T1134.005): Attackers with Domain Admin access add the Enterprise Admins SID (S-1-5-21-[domain]-519) to a compromised low-privilege account's sIDHistory attribute. The account silently inherits all Enterprise Admin permissions, detectable via Event ID 4765 (SID History Added to an Account).
  • Parent PID spoofing for EDR evasion (T1134.004): Advanced malware and commercial RATs create child processes specifying explorer.exe or svchost.exe as the parent PID, causing security tools that rely on parent-child process relationships to misclassify the malicious process as legitimate. Sysmon Event ID 1 captures the actual creator PID and process ID, exposing the mismatch.

Detection indicators for T1134

T1134 detection requires telemetry from both standard Windows Security Event Logs and Sysmon. The API-level token operations that define T1134 are not surfaced by Windows audit logging alone. Sysmon's process access and remote thread events are essential for high-fidelity detection.

Privilege assignment indicators

  • SeImpersonatePrivilege or SeDebugPrivilege assigned to unexpected accounts (Event ID 4672): Every time a new logon session is created with these privileges, Event ID 4672 fires. Monitoring for these privileges on accounts that should not hold them, such as standard user accounts, web application service accounts, or SQL service accounts, flags potential T1134 preconditions.
  • Privileged service call anomalies (Event ID 4673): Unusual calls to privilege-requiring services, particularly from processes that don't normally make such calls, indicate active token manipulation. Event ID 4673 records the specific privilege invoked and the calling process.

Token theft and process creation indicators

  • Process creation under a different account than the parent (Event ID 4688): When a process runs under a different account than its parent, especially a SYSTEM-level process with a standard user parent, it indicates token substitution. Combined with the absence of a UAC elevation event (consent.exe), this is a high-confidence T1134.002 indicator.
  • NewCredentials logon (Event ID 4624, logon type 9): Logon type 9 indicates a process used LogonUser with a token rather than interactive or network credentials. Processes generating logon type 9 events from unusual parent processes (e.g., cmd.exe, powershell.exe) indicate Make and impersonate token (T1134.003).
  • ProcessAccess events targeting LSASS or high-privilege processes (Sysmon Event ID 10): Token theft via OpenProcessToken requires access to the target process. Sysmon Event ID 10 captures these OpenProcess calls with their requested access rights — PROCESS_QUERY_INFORMATION (0x0400) combined with PROCESS_DUP_HANDLE (0x0040) is the access mask pattern for token theft.
  • Parent PID mismatch (Sysmon Event ID 1): Sysmon records both the process's reported parent PID and the actual creating process. When these differ, a process claims explorer.exe as parent but was actually created by a different process and it indicates parent PID spoofing (T1134.004).

SID-history injection indicators (T1134.005)

  • SID history modified on a user account (Event ID 4765): This event fires whenever the sIDHistory attribute is written on an AD user account. Any modification to SID history outside of a documented migration scenario is an immediate high-severity indicator. Event ID 4766 captures failed SID history addition attempts.

Log360 detection rules for T1134

ManageEngine Log360 covers T1134 Access Token Manipulation through prebuilt behavioral rules spanning token impersonation tools, suspicious parent process chains, and process injection patterns. The following rules are mapped to T1134 in the Log360 threat detection engine:

Rule name Platform Severity What it detects
HackTool - Impersonate Execution Windows, Sysmon Trouble Detects execution of the Impersonate tool, which manipulates Windows tokens remotely via PsExec/WmiExec or interactively — direct token impersonation/theft (T1134.001) tooling
HackTool - SharpImpersonation Execution Windows, Sysmon Trouble Detects SharpImpersonation, a C# tool for Windows token manipulation supporting both remote and interactive impersonation scenarios — primary T1134.001 indicator
Potential Meterpreter/CobaltStrike Activity Windows, Sysmon Trouble Detects the getsystem Meterpreter/Cobalt Strike command by identifying a specific service it starts — the getsystem command uses token impersonation to escalate to SYSTEM (T1134.001)
PUA - AdvancedRun Suspicious Execution Windows, Sysmon Trouble Detects AdvancedRun executing in the context of TrustedInstaller, SYSTEM, Local Service, or Network Service accounts — indicates abuse of elevated token access to run processes under privileged identities (T1134.002)
HackTool - Koh Default Named Pipe Sysmon Trouble Detects default named pipes created by Koh, a token capture tool that steals tokens from processes connecting to attacker-controlled named pipes — a Potato-style T1134.001 technique
Suspicious parent spawning Consent Windows, Sysmon Critical Detects consent.exe running with any parent other than svchost.exe — indicates token manipulation or process injection spoofing the UAC consent mechanism (T1134.004)
Suspicious parent spawning lsass Windows, Sysmon Critical Detects lsass.exe spawned by any process other than wininit.exe — a high-confidence indicator of process injection or LSASS token theft preceding credential dumping (T1134.001/T1134.002)
Suspicious parent spawning winlogon Windows, Sysmon Critical Detects winlogon.exe running with any parent other than smss.exe — indicates token-manipulated process injection abusing the Windows logon subsystem (T1134.004)
Suspicious parent spawning svchost Windows, Sysmon Critical Detects svchost.exe initiated by processes other than MsMpEng.exe or services.exe — frequently indicates process creation under a stolen SYSTEM token to masquerade as a legitimate service host (T1134.002)
Suspicious parent spawning LogonUI Windows, Sysmon Critical Detects LogonUI.exe running with an unexpected parent process — indicates parent PID spoofing or process injection using manipulated token to bypass security context checks (T1134.004)
Suspicious parent spawning taskhost Windows, Sysmon Critical Detects taskhost.exe (Task Scheduler host) running without services.exe or svchost.exe as parent — indicates token manipulation enabling execution under a spoofed task host identity (T1134.002)
HackTool - SharpDPAPI Execution Windows, Sysmon Trouble Detects execution of SharpDPAPI, a C# port of Mimikatz DPAPI functionality — used post-token-theft to decrypt DPAPI-protected secrets (credentials, certificates) accessible under the impersonated token (T1134.001)

Custom rule recommendation for Sysmon ProcessAccess (T1134.001): For environments with Sysmon deployed, a custom Log360 correlation rule targeting Sysmon Event ID 10 (ProcessAccess) where TargetImage contains lsass.exe or a SYSTEM-level process AND GrantedAccess includes 0x0040 (DUP_HANDLE) provides high-fidelity detection of the API-level token theft call, before the stolen token is even used. This complements the process-creation-based rules above.

Investigation steps

When Log360 fires a T1134-related alert, follow this investigation sequence to confirm the token manipulation, identify the impersonated identity, and determine the full impact:

  1. Identify the token source: Determine which account's token was manipulated. In the Log360 alert, note the target process (whose token was stolen) and the actor process (which performed the duplication). For Potato attacks, the target is typically winlogon.exe, spoolsv.exe, or another SYSTEM-level service.
  2. Trace all processes launched under the stolen token: Search Log360 for Event ID 4688 events following the alert timestamp where the process user context matches the impersonated identity (e.g., SYSTEM) but the parent process is unexpected. This maps the full attack execution chain under the stolen token.
  3. Check for privilege escalation artifacts: Review Event ID 7045 (new service), 4698 (scheduled task), and 4720 (new account created) in the 10-minute post-alert window. These indicate persistence mechanisms installed using the elevated token access.
  4. Review LSASS access events: With SYSTEM access, credential dumping via LSASS is the immediate next step in most T1134 attack chains. Search Sysmon Event ID 10 for TargetImage: lsass.exe from the actor process or its children. Any LSASS access attempt confirms credential theft risk — rotate all credentials for accounts that had active sessions on the host.
  5. Check for SID-history changes (T1134.005): Search Active Directory audit logs for Event ID 4765. If SID-history was modified, identify the account affected, the SID added, and whether that SID corresponds to a highly privileged group (Domain Admins, Enterprise Admins). All AD actions performed by the affected account since the modification must be reviewed.
  6. Assess lateral movement: Token manipulation with SYSTEM access enables pass-the-hash (T1550) and remote service abuse (T1021). Check for logon events (4624) from the affected host to other systems in the environment during the post-alert window. Log360 UEBA will surface anomalous lateral logon patterns automatically.

Response playbook

  • Isolate the affected host immediately: T1134 token manipulation that achieves SYSTEM access enables credential harvesting and lateral movement within seconds. Remove the host from the network before investigating to limit blast radius.
  • Terminate impersonating processes: Identify and kill all processes running under the stolen token identity. Use the Log360 process chain view to map the full process tree spawned under the impersonated context.
  • Remove persistence mechanisms: Check for services (Event ID 7045), scheduled tasks (Event ID 4698), startup entries, and registry run keys created during the token manipulation session. Remove all unauthorized entries and verify the service binary paths.
  • Rotate all credentials exposed on the host: With SYSTEM access, LSASS credential extraction is trivial. Treat all credentials cached on the affected host as compromised: local admin (LAPS rotation), service accounts, domain accounts that logged on interactively. Prioritize accounts with domain-wide permissions.
  • For SID-history injection (T1134.005): Immediately remove the unauthorized SID-history entry from the affected AD account. Review all actions performed by that account while the malicious SID-history was present — particularly privilege use, group membership changes, and data access. Run Get-ADUser -Filter * -Properties SIDHistory across all accounts to identify any other affected accounts.
  • Harden SeImpersonatePrivilege assignments: Audit which accounts hold SeImpersonatePrivilege on the affected host. Remove it from any accounts that don't require it — particularly web application accounts and database service accounts. Consider using Windows Local Administrator Password Solution (LAPS) and Microsoft's Privileged Access Workstations (PAW) guidance to restrict privilege scope.
  • Threat hunt across the environment: T1134 is often part of a broader attack chain. Run a threat hunt using Log360 for the same token manipulation indicators across all hosts in the affected network segment. Use the MITRE ATT&CK framework to check for adjacent techniques: Valid accounts (T1078), Abuse elevation control (T1548), and credential dumping (T1003) are frequently co-occurring techniques.

ManageEngine Log360 for T1134 detection

ManageEngine Log360 detects T1134 Access Token Manipulation through behavioral correlation rules across Windows Security Event Logs, Sysmon telemetry, and Active Directory audit events. The correlation of privilege assignment events (Event ID 4672), token-based process creation anomalies (Event ID 4688), and SID-history modifications (Event ID 4765) into a single investigation view enables SOC analysts to confirm T1134 and assess its full scope in minutes. The integrated UEBA module provides a behavioral baseline that flags anomalous account behavior following token manipulation even when individual events fall below rule thresholds.

Download Free Trial Schedule a Demo

Need to explore ManageEngine Log360? Schedule a personalized demo

Frequently asked questions

What is T1134 access token manipulation?

T1134 is a MITRE ATT&CK technique where adversaries steal, duplicate, or forge Windows access tokens, the security objects that define a process's privileges, to impersonate other users, escalate to SYSTEM, or hide malicious activity. No password is required: attackers operate under the impersonated identity by duplicating an existing token from a running process. See the complete Privilege escalation guide (TA0004) for how T1134 fits into the broader privilege escalation tactic.

What is SeImpersonatePrivilege and why is it dangerous?

SeImpersonatePrivilege is a Windows privilege that allows a process to impersonate the security context of clients that connect to it. It is granted by default to LOCAL SERVICE, NETWORK SERVICE, IIS application pool identities, and SQL Server service accounts. Attackers who compromise any of these accounts can exploit this privilege using Potato attack tools (JuicyPotato, PrintSpoofer, GodPotato) to coerce SYSTEM into connecting to an attacker-controlled pipe and steal its token. This allows escalating to SYSTEM without any vulnerability. ManageEngine Log360 detection rules monitor for the privilege assignment and the resulting SYSTEM token abuse pattern that defines T1134.001 exploitation.

How does Log360 detect SID-history injection (T1134.005)?

Log360 monitors Active Directory audit logs for Event ID 4765 (A SID was added to another account's SID history) and Event ID 4766 (An attempt to add a SID to another account's SID history failed). Any modification to the sIDHistory attribute outside of a documented domain migration triggers a Critical alert. Log360 correlates this with subsequent privileged activity by the modified account, exposing the full impact of the T1134.005 injection.

Is T1134 harder to detect than other privilege escalation techniques?

Yes, T1134 operates entirely in memory using legitimate Windows API calls, making it harder to detect than disk-based techniques like service installation. Effective detection requires Sysmon telemetry (ProcessAccess Event ID 10, CreateRemoteThread Event ID 8) in addition to standard Windows Security logs. Signature-based detection fails against novel token manipulation tools. ManageEngine Log360 by correlating privilege assignments, process creation anomalies, and token-based logon patterns detects T1134 regardless of the tool used.

What compensating controls reduce T1134 risk?

Key controls to reduce T1134 risk include: removing SeImpersonatePrivilege from accounts that don't require it (eliminate low-hanging Potato attack vectors), enabling Windows Credential Guard (prevents token theft from LSASS), implementing Windows Defender Application Control (WDAC) to restrict which processes can call token manipulation APIs, and deploying Protected Users security group for highly privileged accounts (prevents token theft against those accounts). These controls complement T1134 detection and reduce the attack surface for valid account abuse (T1078) that often follows token manipulation.

On this page
 
  • What is T1134?
  • Sub-techniques
  • How attackers use T1134
  • Attack examples
  • Detection indicators
  • Log360 detection rules
  • Investigation steps
  • Response playbook
  • FAQ