detection.wiki

ATT&CK coverage › Technique

Access Token Manipulation: Token Impersonation/Theft T1134.001

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`. The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon10ProcessAccess
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)
Security-Auditing4624An account was successfully logged on.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Security-Auditing5447A Windows Filtering Platform filter has been changed.
Security-Auditing5449A Windows Filtering Platform provider context has been changed.
Service-Control-Manager7045A service was installed in the system.

Authoring guide

Patterns shared across the 13 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (19 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine4match 4 exec , impersonate.exe, adduser , /file:, masterkeys
TargetImage3in 3"*\\SysWOW64\\winlogon.exe*", "*\\system32\\winlogon.exe*", "*\\wsreset.exe", "*\\fodhelper.exe", "*\PkgMgr.exe"
EventID3eq 310
Provider_Name2eq 2Microsoft-Windows-Sysmon, Service Control Manager
Image2ends_with 2\SharpDPAPI.exe, \SharpImpersonation.exe
OriginalFileName2eq 2SharpDPAPI.exe, SharpImpersonation.exe
GrantedAccess2eq 20x1040
file.name1wildcard 1\*\Pipe\*
Hashes1match 1IMPHASH=0A358FFC1697B7A07D0E817AC740DF62, MD5=9520714AB576B0ED01D1513691377D01, SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A0...
PipeName1match 1\imposingcost, \imposecost
FilterName1match 1RonPolicy
ProviderContextName1match 1RonPolicy
ServiceFileName1starts_with 1, match 1.dll,a, cmd, %COMSPEC%
ImagePath1match 1, starts_with 1.dll,a, cmd, %COMSPEC%
LogonType1eq 19

Top indicator values (87 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventIDeq10314
TargetImagein"*\\system32\\winlogon.exe*"22
TargetImagein"*\\SysWOW64\\winlogon.exe*"22
GrantedAccesseq0x104022
file.namewildcard\*\Pipe\*1
Provider_NameeqMicrosoft-Windows-Sysmon13
CommandLinematch list 12
CommandLinematch exec 12
CommandLinematchimpersonate.exe1
CommandLinematch adduser 1
HashesmatchMD5=9520714AB576B0ED01D1513691377D011
HashesmatchSHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A1
HashesmatchIMPHASH=0A358FFC1697B7A07D0E817AC740DF621
PipeNamematch\imposecost1
PipeNamematch\imposingcost1
ProviderContextNamematchRonPolicy1
FilterNamematchRonPolicy1
CommandLinematch}:1
CommandLinematch rdg 1
CommandLinematch keepass 1

Common exclusions (7 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
Imagein"%systemroot%\\*"2
Imagein"C:\\Windows\\*"1
Imagein"C:\\Program File*"1
Imagein"*C:\\Program Files\\*"1
Imagein"*C:\\Program Files (x86)\\*"1
Imagein"*C:\\Windows\\system32\\*"1
Imagein"*C:\\Windows\\syswow64\\*"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 9 rules

Elastic 1 rule

Splunk 3 rules