Access Token Manipulation (T1134) is a MITRE ATT&CK technique in the Privilege Escalation tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. Access token manipulation techniques include token impersonation and theft, create process with token, make and impersonate token, parent PID spoofing, and SID-History injection. Attackers with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege can impersonate tokens belonging to SYSTEM or other privileged accounts, effectively escalating their privileges without exploiting a software vulnerability.
“Access Token Manipulation is documented as technique T1134 in the MITRE ATT&CK knowledge base under the Privilege Escalation tactic. Detection requires visibility into XDR, SIEM telemetry.”
The following detection strategies help SOC analysts identify Access Token Manipulation activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for Windows API calls associated with token manipulation including OpenProcessToken, DuplicateToken, ImpersonateLoggedOnUser, and CreateProcessWithTokenW, particularly from processes with no legitimate reason to perform token operations.
Alert on processes running under a different user context than expected based on their process ancestry, as token manipulation often results in processes appearing to belong to privileged accounts while descending from unprivileged processes.
Detect SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege being exercised by service accounts or standard users, as these privileges are not normally used in day-to-day operations and their use warrants investigation.
Monitor for parent process ID spoofing by correlating reported parent PIDs with actual process ancestry, as attackers use this technique to make malicious processes appear to be children of trusted processes.
Track unusual service account activity following periods of interactive session establishment, as attackers may use token impersonation to pivot from interactive sessions to service account contexts for lateral movement.
These realistic alert examples show what Access Token Manipulation looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Metasploit Meterpreter pattern detected: process executing in SYSTEM context via token impersonation using a named pipe exploit. The attack exploited a vulnerable service with SeImpersonatePrivilege to intercept a SYSTEM token through a named pipe connection. This technique, known as Potato attack variants, is frequently used to escalate from service account to SYSTEM privileges.
Calculator.exe process detected running under NT AUTHORITY\SYSTEM context while process tree shows it was spawned by a standard user interactive session. This anomaly indicates token theft or impersonation has occurred. The child processes of this instance are making network connections to external C2 infrastructure, confirming malicious use.
EDR telemetry captured CreateProcessWithTokenW API call from a process running as a standard domain user account. The function was used to spawn a new process with a token belonging to the domain administrator account. This token was obtained by impersonating an active administrator session on the workstation.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Access Token Manipulation. Build detection skills with zero consequences — free forever.
Privilege escalation is how an attacker gains higher access rights than initially obtained: standard user to administrat…
Read more GlossaryThe principle of least privilege states that users, processes, and systems should receive only the minimum access rights…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryZero Trust is a security architecture philosophy based on "never trust, always verify," requiring continuous authenticat…
Read more Career PathSecurity Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more