Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0786: Analytic 0786

Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.

EnterpriseAN0786AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0786 is a Windows detection analytic focused on suspicious token manipulation chains: token-related API or command use followed by process creation under a different security context and unusual parent-child or ETW token/PPID evidence. For leaders, the practical value is confirming whether the SOC can recognize identity-context abuse that may precede or accompany privilege escalation or lateral movement, rather than only detecting malware files or obvious login failures.

Executive priority

Prioritize this as an identity and endpoint visibility question: can the organization prove when Windows processes start under unexpected security contexts, such as SYSTEM, and can responders reconstruct the parent-child lineage? This matters for incident decision-making, privileged access governance, audit evidence, and resilience because weak process-token telemetry can leave defenders unable to distinguish legitimate administrative activity from suspicious privilege or lateral movement behavior.

Technical view

Validate coverage on Windows endpoints for chains involving token-related APIs or commands such as LogonUser, DuplicateTokenEx, or runas; subsequent creation of a process under a different security context; mismatched or anomalous parent-child process lineage; ETW token or PPID anomalies; and related abnormal privilege escalation or lateral activity. Because the official detection field is not provided and no relationships are supplied, teams should treat this as detection-engineering guidance rather than a complete rule. Focus testing on whether endpoint telemetry preserves user context, process lineage, token context, and timing well enough to correlate the chain.

Likely telemetry

  • Windows process creation events with parent-child lineage
  • User and security context associated with newly spawned processes
  • Evidence of token-related API or command usage where available
  • ETW token and parent process identifier data where collected
  • Privilege context changes such as processes running as SYSTEM

Detection direction

  • Correlate token-related activity with new process creation under a different security context rather than alerting on a single event in isolation.
  • Tune for known administrative workflows that legitimately use runas or create processes under elevated contexts to reduce false positives.
  • Validate whether parent-child process lineage is reliable; missing or normalized PPID data can create blind spots.
  • Assess whether ETW token/PPID data is collected, retained, and usable by the SOC; the analytic depends on context that many environments may not preserve.
  • Use abnormal lateral or privilege escalation context as a prioritization signal, but avoid assuming maliciousness from token manipulation alone.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR policies capture process creation, parent-child lineage, user context, and privilege context changes.
  • Review and govern legitimate administrative use of alternate security contexts so detection teams have an allowlist or expected-baseline reference.
  • Strengthen privileged access and operational procedures so elevated process creation is attributable and auditable.
  • Build incident response playbooks that preserve endpoint timeline, process lineage, and token context when this analytic fires.
  • Use the analytic to identify telemetry gaps before relying on it for compliance or incident evidence.
Analyst notes and limits

This object is a detection analytic, not a technique description. It has Windows as the only supplied platform, no tactic specified, no relationship context, and no official detection logic. The take therefore emphasizes validation of telemetry and correlation requirements rather than claiming a ready-to-run detection or specific ATT&CK technique mapping.

The supplied object does not include an official detection query, data source mappings, tactics, related techniques, adversary relationships, or mitigation references. Local baselines are required to distinguish legitimate administrative token use from suspicious activity.

Official MITRE ATT&CK definition

Analytic 0786

Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
0d7b1bcf1fa09a1a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 0d7b1bcf1fa0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0786
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use