Why T1134 Matters

Windows access token manipulation is one of the most common post-exploitation techniques used by ransomware affiliates, APT operators, and red teams alike. MITRE catalogues it as T1134 with five sub-techniques. The core idea: Windows runs every process under a security token that defines its identity and privileges. An attacker who can duplicate or steal a higher-privileged token can spawn new processes that run as SYSTEM, as another user, or as a service account — without ever knowing a password.

Token impersonation appears throughout the kill chains of Black Basta, Scattered Spider, LockBit affiliates, and APT groups including Lazarus and APT41. It’s often what bridges an initial foothold in a low-privileged context to full domain compromise, particularly in the gap between initial execution and loading a post-exploitation framework.

The Sub-Techniques in Practice

T1134.001 — Token Impersonation/Theft: An attacker opens a handle to an existing process token and impersonates it. Common tools: Incognito (Metasploit module), Cobalt Strike’s steal_token, or direct OpenProcessToken / ImpersonateLoggedOnUser Win32 API calls. The target token is typically a SYSTEM process (lsass.exe, winlogon.exe) or a running process owned by a privileged domain account.

T1134.002 — Create Process with Token: CreateProcessWithTokenW creates a new process inheriting a stolen token. The child process has the token’s full privilege set. This is the technique behind runas /netonly, Cobalt Strike’s spawnas, and Metasploit’s execute with a stolen token.

T1134.003 — Make and Impersonate Token: LogonUser or CreateProcessWithLogon create a new token from supplied credentials. Used when credentials are known and the attacker wants a domain-authenticated token without joining a domain.

T1134.004 — Parent PID Spoofing: The process is created with a fake parent PID, hiding the true ancestry in process trees. Commonly used alongside token manipulation to avoid parent-child anomaly detection.

T1134.005 — SID-History Injection: A privileged SID is injected into an account’s SID-History attribute in Active Directory, granting that account’s tokens the injected SID’s permissions — effectively a silent privilege grant that persists across logons.

SeImpersonatePrivilege: The Key Precondition

The most prevalent token abuse path in ransomware kill chains exploits SeImpersonatePrivilege. This privilege, held by all local service accounts, IIS application pool identities, and SQL Server service accounts, permits a process to impersonate any token it can obtain a handle to. The Potato family of local privilege escalation tools (JuicyPotato, RoguePotato, SweetPotato, PrintSpoofer) exploits this privilege to force a SYSTEM-level COM server or Spooler process to authenticate to an attacker-controlled named pipe, capture the resulting SYSTEM token, and escalate.

Detection focus: any process running under a service account (NT SERVICE\*, IIS APPPOOL\*, NT AUTHORITY\NETWORK SERVICE) that calls ImpersonateNamedPipeClient or creates a new high-integrity process is a high-fidelity signal.

Detection Telemetry

The most reliable telemetry sources for T1134 detection:

  • Sysmon Event ID 10 (Process Access) — captures OpenProcessToken calls when the access mask includes TOKEN_DUPLICATE (0x2) or TOKEN_IMPERSONATE (0x4). Requires Sysmon configured to capture process access events.
  • Sysmon Event ID 1 (Process Creation) — parent PID spoofing creates a process whose reported parent differs from the true creator. Windows event 4688 captures the same data in security logs.
  • Windows Security Event 4648 — explicit credential logon (LogonUser API). Fires on T1134.003.
  • Windows Security Event 4672 — special privileges assigned to new logon. Fires when a token with sensitive privileges (SeDebugPrivilege, SeTcbPrivilege, SeImpersonatePrivilege) creates a session.
  • ETW (Event Tracing for Windows) / Microsoft-Windows-Security-Auditing — NtOpenProcessToken and related NT calls are visible through kernel ETW providers, captured by endpoint agents like CrowdStrike Falcon and Microsoft Defender for Endpoint.

Sigma Rules

Detecting Potato-Family SYSTEM Impersonation

title: Potato Family Token Impersonation via Named Pipe
id: f9a2c4b1-3e5d-4a87-b2c3-9d8e1f0a7b4c
status: experimental
description: Detects process spawning patterns consistent with Potato-family LPE
    tools that abuse SeImpersonatePrivilege via named pipe impersonation
references:
  - https://attack.mitre.org/techniques/T1134/001/
author: SOC Analyst Hub
date: 2026-07-10
tags:
  - attack.privilege_escalation
  - attack.t1134.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\dllhost.exe'
      - '\msdtc.exe'
      - '\spoolsv.exe'
      - '\services.exe'
  selection_token_abuse:
    IntegrityLevel: 'High'
    User|contains:
      - 'NT AUTHORITY\SYSTEM'
  filter_legitimate:
    Image|endswith:
      - '\conhost.exe'
      - '\WerFault.exe'
  condition: selection_parent and selection_token_abuse and not filter_legitimate
falsepositives:
  - Legitimate elevation via COM+ activation (review parent/child context)
level: high

Detecting Parent PID Spoofing (T1134.004)

title: Parent PID Spoofing — Process Ancestry Mismatch
id: a3c7e9f2-1b4d-4c82-a5e6-7f2b8d9e0c1a
status: experimental
description: Detects processes whose ParentImage does not match the expected
    parent for that binary — common indicator of PPID spoofing used to hide
    post-exploitation activity
references:
  - https://attack.mitre.org/techniques/T1134/004/
author: SOC Analyst Hub
date: 2026-07-10
tags:
  - attack.defense_evasion
  - attack.t1134.004
logsource:
  category: process_creation
  product: windows
detection:
  selection_spawn_from_unusual_parent:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
    ParentImage|endswith:
      - '\explorer.exe'
      - '\svchost.exe'
  selection_with_spoofing_tools:
    CommandLine|contains:
      - 'CreateProcess'
      - '-ppid'
      - 'PPID'
  condition: selection_spawn_from_unusual_parent and selection_with_spoofing_tools
falsepositives:
  - Administrative automation scripts spawned from explorer or svchost (low rate)
level: medium

Detecting Explicit Credential Token Creation (T1134.003)

title: Explicit Credential Use for Token Creation — Possible T1134.003
id: b8d4f1e3-2a6c-4d9b-8e7f-0c3a5b2d1e4f
status: experimental
description: Windows Security Event 4648 fires on explicit credential logon
    (LogonUser API). Consecutive 4648 events from a non-interactive process
    in a short window indicates programmatic token creation
references:
  - https://attack.mitre.org/techniques/T1134/003/
author: SOC Analyst Hub
date: 2026-07-10
tags:
  - attack.privilege_escalation
  - attack.t1134.003
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4648
  filter_expected_logon_types:
    ProcessName|endswith:
      - '\lsass.exe'
      - '\svchost.exe'
  filter_system:
    SubjectUserName: 'SYSTEM'
  condition: selection and not filter_expected_logon_types and not filter_system
falsepositives:
  - Scheduled task service accounts that use explicit credentials for specific operations
level: medium

KQL for Microsoft Sentinel / Defender for Endpoint

Token Impersonation via Process Access

// Detect high-access OpenProcessToken calls targeting SYSTEM processes
// Requires Sysmon Event 10 (ProcessAccess) ingested into Sentinel
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("cmd.exe", "powershell.exe", "rundll32.exe")
| where SubjectUserName !endswith "$"
| join kind=inner (
    SecurityEvent
    | where EventID == 4672
    | where PrivilegeList has "SeImpersonatePrivilege"
    | project ImpersonateLogonId = SubjectLogonId, ImpersonateUser = SubjectUserName, TimeGenerated
) on $left.SubjectLogonId == $right.ImpersonateLogonId
| where datetime_diff('second', TimeGenerated, TimeGenerated1) < 30
| project TimeGenerated, NewProcessName, SubjectUserName, CommandLine, ImpersonateUser
| order by TimeGenerated desc

Hunting SeImpersonatePrivilege Abuse in Service Accounts

// Find service account processes that spawned elevated children
// High-fidelity for Potato-family exploitation
DeviceProcessEvents
| where InitiatingProcessAccountName in~ ("NETWORK SERVICE", "LOCAL SERVICE")
    or InitiatingProcessAccountName startswith "IIS APPPOOL\\"
| where AccountName == "SYSTEM"
| where ProcessCommandLine !contains "TiWorker"
    and ProcessCommandLine !contains "TrustedInstaller"
| project Timestamp, DeviceName, InitiatingProcessAccountName,
    InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc

Hunting Baseline

Before deploying production alerting, establish a baseline of legitimate token creation in your environment. Key questions:

  • Which service accounts in your environment legitimately use SeImpersonatePrivilege? (IIS, MSSQL, Exchange, backup agents)
  • Which processes routinely spawn elevated children in your environment? (MDM agents, configuration management tools)
  • Do you have any scheduled tasks that use explicit credential logon (4648)?

Baselining over a 2-week window before enabling alerting eliminates the false-positive noise that causes analysts to suppress legitimate detections.

Priority Actions

Enable Sysmon Event 10 (ProcessAccess) if it isn’t already — without it, the most direct signals for OpenProcessToken abuse are invisible. The default Sysmon configuration does not enable Event 10 because of volume; scope it to source processes of interest (cmd.exe, powershell.exe, known post-exploitation binaries) to manage noise. Audit SeImpersonatePrivilege assignments quarterly — this privilege is often granted by application installers and never reviewed again.