EXPLORE
Sign In
← Back to Explore
T1134

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new toke...

Windows
24
Detections
3
Sources
3
Threat Actors

BY SOURCE

19elastic3splunk_escu2sigma

PROCEDURES (19)

Credential2 detections

Auto-extracted: 2 detections for credential

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Parent Process1 detections

Auto-extracted: 1 detections for parent process

THREAT ACTORS (3)

Blue MockingbirdFIN6Lotus Blossom

DETECTIONS (24)

Credential Manipulation - Detected - Elastic Endgame
elastichigh
Credential Manipulation - Prevented - Elastic Endgame
elasticmedium
First Time Seen NewCredentials Logon Process
elasticmedium
HackTool - NoFilter Execution
sigmahigh
Interactive Logon by an Unusual Process
elastichigh
Parent Process PID Spoofing
elastichigh
Permission Theft - Detected - Elastic Endgame
elastichigh
Permission Theft - Prevented - Elastic Endgame
elasticmedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
PowerShell Script with Token Impersonation Capabilities
elasticmedium
Privilege Escalation via Named Pipe Impersonation
elastichigh
Privilege Escalation via Rogue Named Pipe Impersonation
elastichigh
Privileges Elevation via Parent Process PID Spoofing
elastichigh
Process Created with a Duplicated Token
elasticmedium
Process Created with an Elevated Token
elastichigh
Process Creation via Secondary Logon
elasticmedium
SeDebugPrivilege Enabled by a Suspicious Process
elasticmedium
Spike in Special Privilege Use Events
elasticlow
Suspicious SeIncreaseBasePriorityPrivilege Use
elastichigh
Suspicious SYSTEM User Process Creation
sigmahigh
Unusual Parent-Child Relationship
elasticmedium
Windows Privilege Escalation Suspicious Process Elevation
splunk_escu
Windows Privilege Escalation System Process Without System Parent
splunk_escu
Windows Privilege Escalation User Process Spawn System Process
splunk_escu