Skip to content

DET0482 Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows

Item Value
ID DET0482
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1134.001 (Token Impersonation/Theft)

Analytics

Windows

AN1324

Detection of token duplication and impersonation attempts by correlating suspicious command-line executions (e.g., runas) with API calls to DuplicateToken, DuplicateTokenEx, ImpersonateLoggedOnUser, or SetThreadToken. The chain includes the initial command execution or in-memory API invocation → token handle duplication or thread token assignment → a new or existing process assuming the impersonated user’s context.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
OS API Execution (DC0021) ETW:Token api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken
Mutable Elements
Field Description
AllowedSystemProcesses Whitelist of known processes that legitimately duplicate tokens (e.g., services.exe).
TimeWindow Time interval between API call and subsequent impersonated process (e.g., 5m).
UserContextFilter Filter for service accounts or known administrative accounts that perform legitimate impersonation.
ParentProcessAnomalyThreshold Threshold for parent-child process lineage anomalies indicating token theft.