Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0498: Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows)

DET0498 is a MITRE detection strategy for behavior-chain detection of Windows Make and Impersonate Token activity. The business issue is that token creatio...

EnterpriseDET0498Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0498 is a MITRE detection strategy for behavior-chain detection of Windows Make and Impersonate Token activity. The business issue is that token creation and impersonation can let an intruder use another user’s security context to escalate privileges or bypass access controls, which can change the severity of an incident quickly. Leaders should treat coverage for this behavior as an identity and endpoint detection question, not just a malware alerting question.

Executive priority

Prioritize validation where Windows administrative access, service accounts, and privileged workflows are material to business operations. The key decision is whether the SOC can prove it would see suspicious token impersonation behavior as part of an attack chain, especially when valid credentials or legitimate Windows functions are involved. This supports incident triage, privileged access governance, and audit evidence around monitoring of privilege escalation paths.

Technical view

The supplied relationship ties this detection strategy to ATT&CK T1134.003, Make and Impersonate Token, under stealth and privilege-escalation for Windows. Detection engineering should focus on chaining evidence of new logon/session or token-related behavior with process, thread, user, and privilege context. The related technique description references use of Windows functions such as LogonUser and SetThreadToken, so defenders should validate whether endpoint telemetry can expose suspicious process identity changes, token use, and privilege escalation patterns without relying on a single event.

Likely telemetry

  • Windows security logon and authentication events
  • Endpoint process creation and parent-child process context
  • EDR or host telemetry showing token creation, impersonation, or security context changes
  • User, service account, and privilege assignment context
  • Command-line, image path, and signer metadata for processes involved in privileged activity

Detection direction

  • Validate behavior-chain correlation rather than standalone alerts: authentication or logon-session activity plus later process/thread execution under a different or more privileged user context.
  • Baseline legitimate administrative tools, services, and scheduled operations that commonly impersonate users to reduce false positives.
  • Pay attention to unusual source processes, unexpected service account use, privilege changes, or token activity outside normal administrative paths.
  • Confirm telemetry includes enough identity context to distinguish the launching user, impersonated user, process owner, and resulting privileges.
  • Review blind spots on Windows systems with limited EDR visibility, incomplete security auditing, or unmanaged administrative endpoints.

Mitigation priorities

  • Reduce the number of accounts and services that can perform privileged actions on Windows systems.
  • Apply least privilege and review privileged service account usage, especially where impersonation is expected behavior.
  • Strengthen credential protection and privileged access workflows so valid credentials cannot easily become a privilege-escalation path.
  • Ensure Windows endpoint logging and EDR collection are enabled on systems where privilege escalation would materially affect operations.
  • Use incident response playbooks that require analysts to reconstruct user context, token context, and process lineage before closing privilege-escalation alerts.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to T1134.003. The object itself does not include an official description, official detection text, platforms, or tactics, but the related ATT&CK technique provides Windows platform context and the stealth/privilege-escalation framing.

Local validation is required. The supplied ATT&CK fields do not specify exact analytic logic, event IDs, data sources, mitigations, or expected alert fidelity. Do not assume coverage unless endpoint, Windows authentication, and identity-context telemetry are confirmed in the environment.

Official MITRE ATT&CK definition

Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1134.003 Make and Impersonate Token Sub-technique This object detects Make and Impersonate Token.
Relationship explorer

All related ATT&CK context

detects · Technique T1134.003: Make and Impersonate Token Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
939c84cbd044a8c2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 939c84cbd044…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0498
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use