Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1134: Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[1]

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

EnterpriseT1134TechniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Access Token Manipulation matters because it can let an adversary on a Windows system act as a different user or as SYSTEM, bypassing access controls that business processes assume are reliable. For leaders, this is not just a malware behavior; it is an identity and privilege-control failure mode that can affect incident containment, audit confidence, and recovery decisions.

Executive priority

Prioritize this technique where Windows administrative access, privileged service accounts, domain administration, or sensitive operational systems are in scope. ATT&CK links this behavior to privilege escalation and stealth, and to multiple sub-techniques involving token theft, token-based process creation, impersonation, parent PID spoofing, and SID-History injection. Executives should ask whether privileged account governance, account lifecycle controls, and Windows telemetry are strong enough to prove who actually performed an action during an incident.

Technical view

For SOC, detection engineering, and IR teams, validate Windows visibility around processes running under unexpected security contexts, processes created with tokens not normally associated with the initiating user, suspicious impersonation behavior, and parent/child process inconsistencies. Because ATT&CK provides no native detection text for T1134, use the related DET0283 behavior-chain detection strategy as a starting point and map coverage across the five sub-techniques: T1134.001 Token Impersonation/Theft, T1134.002 Create Process with Token, T1134.003 Make and Impersonate Token, T1134.004 Parent PID Spoofing, and T1134.005 SID-History Injection.

Likely telemetry

  • Windows process creation events, including parent/child process relationships
  • User logon and authentication context associated with process execution
  • Privilege use and administrative account activity on Windows hosts
  • Security context changes involving SYSTEM or other privileged accounts
  • Active Directory account attributes relevant to SID-History where applicable

Detection direction

  • Do not rely only on process names; validate whether the process user, parent process, and security context make sense together.
  • Tune for behavior chains rather than single events, consistent with the related DET0283 strategy.
  • Review false positives from legitimate administration, service management, software deployment, and help desk activity that may use alternate credentials or runas.
  • Validate coverage separately for token impersonation, token-created processes, parent PID spoofing, and SID-History changes because each can produce different evidence.
  • During IR, compare the apparent user in logs with the token/security context of the process before making attribution or containment decisions.

Mitigation priorities

  • Apply User Account Management (M1018): enforce account lifecycle discipline, remove stale accounts, and ensure accounts are used only according to policy.
  • Apply Privileged Account Management (M1026): restrict administrative privileges, limit privileged account scope, and monitor privileged account usage.
  • Reduce routine administrator exposure on Windows systems so token theft opportunities are minimized.
  • Review accounts and groups whose privileges could enable escalation from administrator to SYSTEM or remote authentication using a stolen or created token.
  • Maintain audit evidence for privileged account changes, SID-History-related changes, and administrative process execution.
Analyst notes and limits

ATT&CK associates T1134 with Windows, privilege escalation, and stealth. The relationship set shows use by several groups, campaigns, and software families, including ransomware and post-exploitation frameworks, which supports treating this as a broadly relevant defensive behavior. That context should inform threat modeling, but it should not be interpreted as proof of current activity in any specific environment.

MITRE does not provide official detection guidance for this object. Specific detection logic, event IDs, and tool coverage must be validated against the local Windows logging configuration, endpoint telemetry, Active Directory auditing, and administrative workflows. The supplied data supports Windows only for this technique.

Official MITRE ATT&CK definition

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[1]

Any standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1134.001 Token Impersonation/Theft Sub-technique Token Impersonation/Theft subtechnique of this object.
Enterprise T1134.004 Parent PID Spoofing Sub-technique Parent PID Spoofing subtechnique of this object.
Enterprise T1134.005 SID-History Injection Sub-technique SID-History Injection subtechnique of this object.
Enterprise T1134.002 Create Process with Token Sub-technique Create Process with Token subtechnique of this object.
Enterprise T1134.003 Make and Impersonate Token Sub-technique Make and Impersonate Token subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0037: FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

Group Enterprise

G0108: Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]

Malware Enterprise

S1242: Qilin

Qilin is a ransomware family operated as a ransomware-as-a-service (RaaS) that has been active since at least 2022. It includes variants written in Go and Rust capable of targeting Windows, Linux, and VMware ESXi environments. Qilin shares functionality overlaps with Black Basta, REvil, and BlackCat ransomware. Qilin affiliates have targeted multiple entities worldwide with the majority of victims in the US, France, Canada, and the UK, primarily in the manufacturing, technology, financial services, and healthcare sectors.[1][2][3][4][5]

ESXiWindowsLinux
Malware Enterprise

S0697: HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[1][2][3][4][5]

Windows
Tool Enterprise

S0194: PowerSploit

PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]

Windows
Tool Enterprise

S0633: Sliver

Sliver is an open source, cross-platform, red team command and control (C2) framework written in Golang. Sliver includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.[1][2]

WindowsLinuxmacOS
Malware Enterprise

S0038: Duqu

Duqu is a malware platform that uses a modular approach to extend functionality after deployment within a target network. [1]

Windows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Malware Enterprise

S0666: Gelsemium

Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main (Gelsevirine) plug-ins written using the Microsoft Foundation Class (MFC) framework. Gelsemium has been used by the Gelsemium group since at least 2014.[1]

Windows
Malware Enterprise

S0625: Cuba

Cuba is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.[1]

Windows
Campaign Enterprise

C0017: C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]

Relationship explorer

All related ATT&CK context

uses · Malware S1242: Qilin Enterprise uses · Malware S0697: HermeticWiper Enterprise uses · Malware S0562: SUNSPOT Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Group G0030: Lotus Blossom Enterprise uses · Tool S0194: PowerSploit Enterprise uses · Malware S0622: AppleSeed Enterprise uses · Tool S0633: Sliver Enterprise subtechnique of · Technique T1134.001: Token Impersonation/Theft Enterprise uses · Group G0037: FIN6 Enterprise subtechnique of · Technique T1134.004: Parent PID Spoofing Enterprise uses · Group G0108: Blue Mockingbird Enterprise uses · Malware S1210: Sagerunex Enterprise subtechnique of · Technique T1134.005: SID-History Injection Enterprise uses · Malware S0058: SslMM Enterprise uses · Malware S0038: Duqu Enterprise uses · Tool S0363: Empire Enterprise subtechnique of · Technique T1134.002: Create Process with Token Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise uses · Malware S0666: Gelsemium Enterprise uses · Malware S0625: Cuba Enterprise uses · Malware S1060: Mafalda Enterprise uses · Campaign C0017: C0017 Enterprise subtechnique of · Technique T1134.003: Make and Impersonate Token Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
83a295d2f847ebb8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 83a295d2f847…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Pentestlab Token Manipulation

    netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.

    Open source URL
  2. [2]
    mitre-attack T1134
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use