This note documents detection patterns related to Token Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4672 | Special privileges assigned | Critical | Elevated token granted to session. |
| Security | 4688 | Process creation | Critical | Detects token abuse tooling and spawned elevated processes. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for token manipulation chains. |
| Security | 4648 | Explicit credentials used | High | Often adjacent to token abuse workflows. |
| Sysmon | 10 | Process access | High | Sensitive handle access before token theft. |
| Security | 4624 | Successful logon | High | Session origin for token abuse context. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Non-admin spawns admin process | Privilege jump without expected path | Critical | Strong token abuse clue. |
| SeImpersonate present before escalation | Potato-style precondition | Critical | Very common privesc chain. |
| Sensitive process accessed | Token theft from SYSTEM process | Critical | High-value indicator. |
| Duplicate elevated shells | cmd / powershell with SYSTEM | Critical | Common outcome. |
| Short-lived elevated process | Fast abuse then cleanup | High | Operator behavior. |
| Service token followed by shell | SYSTEM inheritance | High | Common pattern. |
Common Tools
| Tool | Usage |
|---|---|
| mimikatz | Token impersonation |
| incognito | Token stealing |
| PowerShell | Token duplication helpers |
| potato family | SeImpersonate exploitation |
Relevant Artifacts
- Security Event IDs 4672, 4688, 4648, 4624
- Sysmon Event IDs 1, 10
- Process integrity levels
- Token privilege fields
- EDR token lineage
- Prefetch for abuse tooling
MITRE ATT&CK References
- T1134 Access Token Manipulation
Decision Tree
-
Which account/session?
- User
- Service
- SYSTEM source
-
Which privilege present?
- SeImpersonate
- SeAssignPrimaryToken
- SeDebug
-
Elevated child appears?
- cmd
- powershell
- service action
-
Sensitive process touched?
- lsass
- winlogon
- services
-
Expand:
- Adjacent privesc
- Named pipes
- Service abuse
-
Scope:
- Single escalation
- Repeated abuse
- Toolkit chain
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4672
| project TimeGenerated, Computer, Account, Privileges
Sysmon
| where EventID == 10
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess
EQL
process where event.code == "4672"
sequence by host.name with maxspan=5m
[ any where event.code == "4672" ]
[ process where process.name in ("cmd.exe","powershell.exe") ]
Sigma
title: Token Abuse Detection
id: 1c5e7a20-token-abuse
status: experimental
description: Detects suspicious privilege token abuse patterns
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID: 4672
condition: selection
fields:
- Account
- Privileges
falsepositives:
- Legitimate admin sessions
level: high
tags:
- attack.privilege_escalation
- attack.t1134
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on unexpected 4672 | Watch non-admin hosts | Critical | Strong signal |
| Restrict SeImpersonate | Reduce escalation surface | Critical | Key hardening |
| Process access monitoring | Detect token theft setup | High | Strong precursor |
| Integrity tracking | Spot sudden elevation | High | Valuable enrichment |
| EDR lineage | Track token inheritance | Critical | Best operational visibility |