Access Token Manipulation T1134
Tactics: Stealth, Privilege Escalation
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Events covered
22 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 73 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (101 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (852 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (222 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 20 rules
- Addition of SID History to Active Directory Object
- Anonymous login (RottenPotatoNG)
- HackTool - Impersonate Execution
- HackTool - Koh Default Named Pipe
- HackTool - NoFilter Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution
- HackTool - SharpDPAPI Execution
- HackTool - SharpImpersonation Execution
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Meterpreter or Cobalt Strike Getsystem Service Installation - System
- New rights granted to an account for privilege escalation
- Potential Access Token Abuse
- Potential Meterpreter/CobaltStrike Activity
- Privilege escalation via runas (command)
- Privilege escalation via RunasCS
- PUA - AdvancedRun Execution
- PUA - AdvancedRun Suspicious Execution
- RedSun - Conhost.exe Spawned by TieringEngineService.exe
- Suspicious Child Process Created as System
- Suspicious SYSTEM User Process Creation
Elastic 20 rules
- Credential Manipulation - Detected - Elastic Endgame
- Credential Manipulation - Prevented - Elastic Endgame
- First Time Seen NewCredentials Logon Process
- Interactive Logon by an Unusual Process
- Kubernetes API Request Impersonating Privileged Identity
- Parent Process PID Spoofing
- Permission Theft - Detected - Elastic Endgame
- Permission Theft - Prevented - Elastic Endgame
- Potential PowerShell HackTool Script by Function Names
- PowerShell Script with Token Impersonation Capabilities
- Privilege Escalation via Named Pipe Impersonation
- Privilege Escalation via Rogue Named Pipe Impersonation
- Privileges Elevation via Parent Process PID Spoofing
- Process Created with a Duplicated Token
- Process Created with an Elevated Token
- Process Creation via Secondary Logon
- SeDebugPrivilege Enabled by a Suspicious Process
- Spike in Special Privilege Use Events
- Suspicious SeIncreaseBasePriorityPrivilege Use
- Unusual Parent-Child Relationship
Splunk 14 rules
- Runas Execution in CommandLine
- Windows Access Token Manipulation SeDebugPrivilege
- Windows Access Token Manipulation Winlogon Duplicate Token Handle
- Windows Access Token Winlogon Duplicate Handle In Uncommon Path
- Windows AD Cross Domain SID History Addition
- Windows AD Privileged Account SID History Addition
- Windows AD Same Domain SID History Addition
- Windows AD SID History Attribute Modified
- Windows Handle Duplication in Known UAC-Bypass Binaries
- Windows Parent PID Spoofing with Explorer
- Windows Privilege Escalation Suspicious Process Elevation
- Windows Privilege Escalation System Process Without System Parent
- Windows Privilege Escalation User Process Spawn System Process
- Wscript Or Cscript Suspicious Child Process
Kusto 14 rules
- Access Token Manipulation - Create Process with Token
- AWS Security Hub - Detect IAM root user Access Key existence
- BTP - Cloud Identity Service application configuration monitor
- BTP - Trust and authorization Identity Provider monitor
- High-Risk Cross-Cloud User Impersonation
- Pathlock TDnR - Dynamic Access Control Events
- Ping Federate - Abnormal password resets for user
- Possible Resource-Based Constrained Delegation Abuse
- Powershell Empire Cmdlets Executed in Command Line
- PRT Credential Stealing
- Semperis DSP Well-known privileged SIDs in sIDHistory
- Service Principal Name (SPN) Assigned to User Account
- User impersonation by Identity Protection alerts
- User Session Impersonation(Okta)