DET0283 Behavior-chain detection for T1134 Access Token Manipulation on Windows

Item	Value
ID	DET0283
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1134 (Access Token Manipulation)

Analytics

Windows

AN0786

Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.

Log Sources

Data Component	Name	Channel
Logon Session Metadata (DC0088)	WinEventLog:Security	EventCode=4672, 4634
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
OS API Execution (DC0021)	ETW:Token	token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser
Active Directory Object Modification (DC0066)	WinEventLog:Security	EventCode=5136

Mutable Elements

Field	Description
TimeWindow	Correlation time between suspicious API usage, runas, and process creation (e.g., 5–10m).
AllowedServiceAccounts	Whitelist of service accounts permitted to spawn SYSTEM-level processes.
KnownAdminTools	Legitimate administrative utilities that trigger token changes.
ParentProcessAnomalyThreshold	Deviation threshold for PPID mismatches detected via ETW.