T1134: Access Token Manipulation

Windows uses access tokens to determine the ownership and privileges of running processes. When a user logs in, the system creates an access token containing the user's security identifier (SID), group memberships, and assigned privileges. Every process started by that user inherits a copy of this token. T1134 covers any technique that modifies, steals, creates, or manipulates these tokens to operate under a different security context — enabling privilege escalation, lateral movement, and evasion of security controls that rely on process identity.

Sub-Techniques

T1134.001: Token Impersonation/Theft

The adversary uses Windows API functions (DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken) to copy an access token from an existing process and apply it to their own process or thread. This requires SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege — privileges commonly held by service accounts (IIS, SQL Server, MSSQL), local administrators, and accounts running as NETWORK SERVICE or LOCAL SERVICE. The Potato exploit family is the industrialized form of this sub-technique: JuicyPotato (Windows < 1809), PrintSpoofer (abuses the Print Spooler service), RoguePotato (OXID resolver redirection), GodPotato (RPC dispatch table hooking, works across Windows 8 through 11 and Server 2012–2022), and SigmaPotato (2024–2025 fork with .NET reflection and extended OS support) all exploit DCOM or RPC mechanisms to coerce a SYSTEM-level process into authenticating to an attacker-controlled named pipe, then steal the resulting SYSTEM token. Cobalt Strike's steal_token command, Metasploit's incognito module, and Sliver's token manipulation capabilities all implement T1134.001.

T1134.002: Create Process with Token

Instead of impersonating a token within an existing process, the adversary creates a new process that runs under a stolen or crafted token using CreateProcessWithTokenW or CreateProcessAsUserA. The runas command with the /netonly flag creates a process with alternate credentials for network authentication. This is the standard method used by Potato exploits to spawn a SYSTEM shell: after obtaining a SYSTEM token through impersonation, the exploit calls CreateProcessWithTokenW to launch cmd.exe or a reverse shell under the SYSTEM identity. Qilin ransomware specifically uses this approach — bypassing standard user access controls by launching encryption processes at an elevated security context using stolen tokens.

T1134.003: Make and Impersonate Token

The adversary uses LogonUser or DuplicateTokenEx to create a new token based on stolen credentials (username/password or hash) and then impersonates it. This creates a new logon session (Logon Type 9 / NewCredentials) that appears in Windows Security logs as Event ID 4624. The runas /netonly command is a legitimate tool that performs this same operation. Adversaries use this sub-technique when they have obtained credentials but need to create a security context for those credentials without triggering an interactive logon on the target system. Cobalt Strike's make_token and PowerShell Empire's Invoke-TokenManipulation are common implementations.

T1134.004: Parent PID Spoofing

The adversary creates a new process with a spoofed parent process ID, making the child process appear to have been spawned by a different (legitimate) parent. This is accomplished using CreateProcess with the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS attribute set to the handle of a target parent process. The result is that security tools relying on parent-child process relationship analysis attribute the malicious process to a trusted parent (e.g., making a PowerShell process appear to be a child of svchost.exe or explorer.exe). This directly undermines detection rules based on suspicious parent-child chains. The child process also inherits the security token of the spoofed parent, providing an additional privilege escalation vector. Adversaries commonly target high-privilege parent processes to gain elevated access while simultaneously evading behavioral detection.

T1134.005: SID-History Injection

When Active Directory accounts are migrated between domains, Windows preserves the old SID in the SIDHistory attribute so that the migrated account retains access to resources in the source domain. Adversaries abuse this by injecting arbitrary SIDs into the SIDHistory of a compromised account — for example, injecting the SID of the Domain Admins group. Because Windows access checks evaluate SIDHistory alongside primary group memberships, the compromised account gains all permissions associated with the injected SID. Tools like Mimikatz (sid::patch + sid::add) and Empire implement this technique. SID-History injection is particularly dangerous because it does not modify visible group memberships — the compromised account does not appear as a member of Domain Admins in standard directory queries, making the escalation difficult to detect through normal auditing.

How Token Manipulation Works

The Potato Exploit Family

The Potato exploits represent the dominant real-world implementation of T1134.001 and T1134.002 in 2024–2025. All Potato exploits share the same core mechanism: they coerce a SYSTEM-level Windows service into authenticating to an attacker-controlled endpoint (named pipe, DCOM, or RPC), capture the resulting SYSTEM token, and use it to spawn a new process. The evolution of the family tracks Microsoft's mitigation efforts. JuicyPotato (2018) abused DCOM CLSID activation and worked up to Windows 10 1803 / Server 2016. PrintSpoofer (2020) abused the Print Spooler service for Windows 10 1809+ / Server 2019, using a named pipe impersonation technique. RoguePotato (2020) redirected OXID resolution to a remote server for environments where JuicyPotato was patched. GodPotato (2023) hooks the RPC dispatch table in combase.dll to redirect DCOM activator traffic to an attacker-controlled pipe, working across Windows 8–11 and Server 2012–2022. SigmaPotato (2024–2025), a GodPotato fork, adds in-memory .NET reflection execution and extended OS support. CoercedPotato (2023) enhances PrintSpoofer with new RPC call exploits. The common prerequisite is SeImpersonatePrivilege, which is present on IIS application pool accounts, SQL Server service accounts, and any context running as NETWORK SERVICE or LOCAL SERVICE.

Token Theft via C2 Frameworks

C2 frameworks provide operator-friendly token manipulation commands. In Cobalt Strike, steal_token [PID] duplicates the token from a target process and applies it to the current beacon session. rev2self reverts to the original token. make_token [DOMAIN\user] [password] creates a new Logon Type 9 session with provided credentials. In Metasploit, the incognito module lists available tokens on the system and allows the operator to impersonate any of them. In Sliver, similar token manipulation capabilities are built into the implant. These commands abstract the underlying Windows API calls (OpenProcessToken, DuplicateTokenEx, ImpersonateLoggedOnUser) into single-step operations that any ransomware affiliate can execute.

AdjustTokenPrivileges for Destructive Operations

Beyond identity impersonation, adversaries use AdjustTokenPrivileges to enable specific privileges on their current token. SUNSPOT, the implant used in the SolarWinds build compromise, modified its security token to grant itself SeDebugPrivilege — the privilege required to access the memory of other processes, which it used to monitor the MsBuild.exe process for SolarWinds Orion compilation. HermeticWiper, the destructive malware deployed against Ukrainian targets in February 2022, used AdjustTokenPrivileges to enable SeBackupPrivilege and SeLoadDriverPrivilege — the privileges needed to access raw disk volumes and load the driver used to corrupt the filesystem. AppleSeed, the backdoor used by the Kimsuky group, passes itself SeDebugPrivilege to gain system-level access.

Why Access Token Manipulation Matters

Service-Account-to-SYSTEM Escalation

Web shells on IIS servers, SQL injection on database servers, and compromised application services all typically provide execution as a service account with SeImpersonatePrivilege. The Potato exploit family converts this service-account access into SYSTEM access in a single command. This is the privilege escalation path that connects initial web application compromise to full system control, and it applies to the majority of Windows server workloads that run services under service accounts.

Evasion of Process Monitoring

Parent PID spoofing directly undermines one of the most effective EDR detection strategies: parent-child process relationship analysis. Detection rules that alert on "PowerShell spawned by Word" or "cmd.exe spawned by wmiprvse.exe" become unreliable when the adversary can make any process appear to be the child of any other process. Similarly, token theft allows an adversary to operate under the identity of a legitimate user or service, making their activity indistinguishable from normal operations in process logs.

Persistence Without Credential Knowledge

Token manipulation enables adversaries to operate as other users without knowing their passwords. By stealing a token from a running process, the adversary inherits that user's permissions for as long as the stolen token remains valid. SID-History injection provides persistent elevated access that survives password changes — because the injected SID is an attribute of the account object, not a function of the current authentication session.

Real-World Case Studies

Case 1: Qilin Ransomware — Token-Based Privilege Escalation (2024–2025)

Qilin, which became one of the dominant ransomware groups by mid-2025 after absorbing displaced LockBit and RansomHub affiliates, uses stolen access tokens to bypass standard user access controls and launch processes at elevated security contexts. MITRE ATT&CK specifically documents Qilin using T1134 — the ransomware steals tokens from high-privilege processes to execute its encryption payload with SYSTEM permissions, ensuring it can access and encrypt files across all user profiles and system directories. In the July 2024 attack documented by Sophos, Qilin affiliates compromised a VPN portal without MFA, waited 18 days, then deployed a GPO-based attack that harvested Chrome credentials and deployed the ransomware — with token manipulation enabling the privilege elevation needed for domain-wide GPO deployment.

Case 2: SUNSPOT — Token Privilege Escalation in the SolarWinds Build Process (2020–2021)

SUNSPOT, the implant that the SolarWinds attackers (APT29/Cozy Bear) planted in the Orion build environment, used AdjustTokenPrivileges to grant itself SeDebugPrivilege. This privilege was essential: SUNSPOT needed to monitor the MsBuild.exe process to detect when the Orion software was being compiled, then inject the SUNBURST backdoor into the build output. Without debugging privileges, SUNSPOT could not access the memory of other processes to detect the compilation event. The token manipulation was a quiet, surgical operation — no new accounts were created, no services were installed, and the privilege adjustment left minimal forensic artifacts in standard logs.

Case 3: HermeticWiper — Token Privileges for Destructive Operations (2022)

HermeticWiper, deployed against Ukrainian organizations on February 23, 2022 (one day before the Russian invasion), used AdjustTokenPrivileges to enable SeBackupPrivilege (for raw disk access) and SeLoadDriverPrivilege (for loading the EaseUS Partition Master driver used to corrupt disk structures). These privilege adjustments were essential for the wiper's destructive functionality — without them, the malware could not bypass filesystem access controls to directly manipulate disk sectors. The token manipulation sequence was one of the first operations the wiper performed after execution.

Case 4: Blue Mockingbird — JuicyPotato for Cryptomining (2020–2024)

Blue Mockingbird, a threat group focused on cryptocurrency mining, used JuicyPotato to escalate from IIS application pool service accounts to SYSTEM on compromised web servers. After exploiting a deserialization vulnerability in Telerik UI for ASP.NET to gain initial code execution as the IIS worker process, Blue Mockingbird deployed JuicyPotato to obtain a SYSTEM token, then used that elevated access to install the XMRIG cryptominer as a persistent Windows service. This attack chain — web vulnerability to service account to JuicyPotato to SYSTEM to persistent cryptominer — demonstrates the Potato family's role as the bridge between web application compromise and full system control.

Case 5: BlackCat/ALPHV — Token Manipulation Across the Kill Chain (2022–2024)

BlackCat (ALPHV) ransomware, written in Rust, incorporated access token manipulation as a standard part of its execution flow. Microsoft Defender Threat Intelligence and Sophos documented the ransomware modifying tokens to operate under elevated security contexts during encryption. BlackCat's Rust codebase directly called Windows API functions for token manipulation, including OpenProcessToken, DuplicateTokenEx, and CreateProcessWithTokenW, to elevate its encryption process to SYSTEM before beginning file encryption. The ransomware's modular architecture allowed affiliates to configure which privilege escalation techniques to use based on the target environment.

Detection Strategies

Data Source	Detection Focus	Key Indicators
Process Creation (Sysmon EID 1)	Potato exploit execution	JuicyPotato.exe, PrintSpoofer.exe, GodPotato*.exe, RoguePotato.exe, SweetPotato.exe, SigmaPotato.exe execution; processes spawned by unusual parent processes (PPID spoofing)
Windows Security (EID 4624)	Token-based logon events	Logon Type 9 (NewCredentials) from unexpected processes; runas /netonly execution; logon events without corresponding interactive sessions
Windows Security (EID 4672)	Special privilege assignment	SeDebugPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeBackupPrivilege, SeLoadDriverPrivilege assigned to unexpected processes or users
Process Access (Sysmon EID 10)	Token theft from processes	Processes accessing other processes with TOKEN_DUPLICATE, TOKEN_IMPERSONATE, or TOKEN_QUERY access rights; access to lsass.exe, winlogon.exe, or services.exe tokens
Active Directory (EID 4765, 4766)	SID-History modification	SID-History added to or failed to add to an account; unexpected SIDs in SIDHistory attribute; Domain Admin SIDs in non-admin accounts
Command Execution	C2 token commands	Cobalt Strike steal_token/make_token, Mimikatz token::elevate/sid::add, Metasploit incognito load/impersonate_token, runas /netonly patterns
Named Pipe Creation (Sysmon EID 17/18)	Potato exploit pipes	Named pipes created by non-standard processes, especially pipes matching Potato exploit patterns; pipe connections from SYSTEM-level services to non-standard endpoints

Splunk / SIEM Detection Queries

Detect Potato exploit tool execution:

index=sysmon EventCode=1
(OriginalFileName IN ("JuicyPotato*", "PrintSpoofer*", "GodPotato*",
    "RoguePotato*", "SweetPotato*", "SigmaPotato*", "EfsPotato*",
    "CoercedPotato*", "DCOMPotato*", "DeadPotato*")
 OR Image IN ("*JuicyPotato*", "*PrintSpoofer*", "*GodPotato*",
    "*RoguePotato*", "*SweetPotato*", "*SigmaPotato*")
 OR CommandLine IN ("*JuicyPotato*", "*PrintSpoofer*", "*GodPotato*",
    "*-cmd*whoami*", "*-l*1337*-p*cmd.exe*"))
| stats count by Computer, User, Image, CommandLine, ParentImage
| sort -count

Detect NewCredentials logon (Logon Type 9) from unexpected sources:

index=wineventlog EventCode=4624 Logon_Type=9
| eval suspicious=if(match(Process_Name, "(?i)(powershell|cmd|rundll32|mshta|wscript|cscript)"), "YES", "NO")
| where suspicious="YES"
| stats count values(Process_Name) as processes values(Account_Name) as accounts
  by Computer, Source_Network_Address
| sort -count

Detect SeDebugPrivilege assignment to unexpected processes:

index=wineventlog EventCode=4672
Privileges IN ("*SeDebugPrivilege*", "*SeImpersonatePrivilege*",
    "*SeAssignPrimaryTokenPrivilege*", "*SeLoadDriverPrivilege*")
| search NOT Account_Name IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| search NOT Process_Name IN ("*\\lsass.exe", "*\\services.exe",
    "*\\svchost.exe", "*\\csrss.exe", "*\\MsMpEng.exe")
| stats count values(Privileges) as privs by Computer, Account_Name, Process_Name
| sort -count

Detect parent PID spoofing via unusual parent-child relationships:

index=sysmon EventCode=1
(ParentImage="*\\svchost.exe" AND Image IN ("*\\powershell.exe", "*\\cmd.exe")
    AND ParentCommandLine!="*-k*")
OR (ParentImage="*\\services.exe" AND Image NOT IN ("*\\svchost.exe",
    "*\\msiexec.exe", "*\\MsMpEng.exe", "*\\spoolsv.exe"))
OR (ParentImage="*\\explorer.exe" AND IntegrityLevel="System")
OR (ParentImage="*\\winlogon.exe" AND Image NOT IN ("*\\userinit.exe",
    "*\\dwm.exe", "*\\LogonUI.exe", "*\\fontdrvhost.exe"))
| stats count by Computer, ParentImage, Image, CommandLine, User, IntegrityLevel
| sort -count

Threat Actors and Tools

State-Sponsored Groups

Actor	Token Manipulation Methods	Notable Context
APT29 / Cozy Bear (Russia)	SUNSPOT: AdjustTokenPrivileges for SeDebugPrivilege	SolarWinds supply chain attack; build process monitoring
APT41 (PRC)	Token theft, process token manipulation	Targeting U.S. state governments (Mandiant, March 2022)
Naikon / Lotus Blossom (PRC)	Process token retrieval and adjustment	Southeast Asian government targeting
Billbug / Lotus Panda (PRC)	Token manipulation for persistence	Cert authority and government targeting (Symantec, Nov 2022)
Kimsuky (DPRK)	AppleSeed: SeDebugPrivilege via token adjustment	South Korean government and research targeting
Sandworm (Russia/GRU)	HermeticWiper: SeBackupPrivilege, SeLoadDriverPrivilege	Destructive operations against Ukraine (Feb 2022)

Ransomware and Cybercrime

Group / Malware	Token Methods	Notable Context
Qilin	Stolen tokens for elevated process creation	Top 2025 ransomware; absorbed LockBit/RansomHub affiliates
BlackCat / ALPHV	OpenProcessToken, DuplicateTokenEx, CreateProcessWithTokenW	Rust-based; $22M Change Healthcare payment
Cuba	Token manipulation for privilege escalation	Critical infrastructure targeting
Ryuk	Token impersonation for SYSTEM access	Pioneered "big game hunting" ransomware model
Blue Mockingbird	JuicyPotato from IIS service accounts	Cryptomining; web vuln to SYSTEM via Potato
FIN6	Metasploit named-pipe impersonation	POS and payment card data targeting

Potato Exploit Family

Tool	Year	Mechanism	OS Coverage
JuicyPotato	2018	DCOM CLSID activation + OXID resolver	Windows ≤ 10 1803 / Server 2016
PrintSpoofer	2020	Print Spooler named pipe impersonation	Windows 10 1809+ / Server 2019+
RoguePotato	2020	Remote OXID resolver redirection	Windows 10 1809+ / Server 2019+
GodPotato	2023	RPC dispatch table hooking in combase.dll	Windows 8–11 / Server 2012–2022
SigmaPotato	2024	GodPotato fork with .NET reflection	Extended OS support; in-memory execution
CoercedPotato	2023	Enhanced PrintSpoofer with new RPC calls	Current Windows versions including Server 2022
EfsPotato / SharpEfsPotato	2021	MS-EFSR pipe abuse for token theft	Multiple Windows versions
DeadPotato	2024	GodPotato rework + built-in post-exploitation	Bundled Mimikatz, SharpHound, Defender disable

Defensive Recommendations

• Restrict SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege. These privileges are the prerequisite for all Potato exploits and token impersonation attacks. Review which accounts hold these privileges (check with whoami /priv or Group Policy). Remove SeImpersonatePrivilege from IIS application pool accounts where possible. Configure the "Impersonate a client after authentication" and "Replace a process level token" GPO settings to restrict these privileges to only essential service accounts.
• Monitor Event ID 4672 for unexpected privilege assignments. Event ID 4672 (Special privileges assigned to new logon) logs every time a user logs on with sensitive privileges including SeDebugPrivilege, SeImpersonatePrivilege, and SeBackupPrivilege. Create detection rules that alert on these privilege assignments for non-standard accounts or processes. SYSTEM, LOCAL SERVICE, and NETWORK SERVICE legitimately receive these privileges; other accounts receiving them warrant investigation.
• Detect Logon Type 9 (NewCredentials) from non-interactive processes. Logon Type 9 is generated when runas /netonly or LogonUser with LOGON32_LOGON_NEW_CREDENTIALS is used — the core API for T1134.003 (Make and Impersonate Token). While legitimate for administrative use, Logon Type 9 events from PowerShell, cmd.exe, rundll32.exe, or unknown processes are strong indicators of token manipulation.
• Monitor for parent PID spoofing indicators. Sysmon Event ID 1 records both the reported parent PID and the actual creating process. Compare the ParentProcessId field with the actual process lineage. Alert on processes where the parent image is a high-privilege system process (svchost.exe, services.exe, winlogon.exe) but the child process is an interactive tool (PowerShell, cmd.exe) that would not normally be spawned by that parent, especially when the integrity level is unexpectedly elevated.
• Audit SID-History modifications in Active Directory. Monitor Event IDs 4765 (SID-History added) and 4766 (SID-History add attempt failed). Enable SID Filtering on trust relationships to strip SID-History from authentication tokens crossing domain boundaries. Regularly audit Active Directory accounts for unexpected entries in the SIDHistory attribute, especially SIDs corresponding to privileged groups (Domain Admins, Enterprise Admins).
• Deploy process access monitoring for token theft detection. Use Sysmon Event ID 10 (ProcessAccess) to detect processes accessing other processes with token-related access rights (TOKEN_DUPLICATE: 0x0002, TOKEN_IMPERSONATE: 0x0004). Alert specifically on non-system processes accessing tokens of lsass.exe, winlogon.exe, services.exe, or other SYSTEM-level processes.
• Block known Potato exploit binaries. Use application control policies (WDAC, AppLocker) to block execution of known Potato exploit binaries by their OriginalFileName metadata. Track the LOLDrivers and LOLBAS projects for new Potato variants. Note that attackers rename binaries, so detection based solely on filename is insufficient — use OriginalFileName from the PE header (Sysmon EID 1) for more reliable detection.
• Disable unnecessary services that enable token coercion. The Print Spooler service (targeted by PrintSpoofer) should be disabled on systems that do not require printing, especially domain controllers and servers. Review and restrict DCOM activation permissions. Disable the MS-EFSR service where not needed. Each disabled coercion target eliminates a Potato exploit variant.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1134
Technique Name	Access Token Manipulation
Tactics	Defense Evasion (TA0005), Privilege Escalation (TA0004)
Sub-techniques	T1134.001 (Token Impersonation/Theft), T1134.002 (Create Process with Token), T1134.003 (Make and Impersonate Token), T1134.004 (Parent PID Spoofing), T1134.005 (SID-History Injection)
Platforms	Windows
Data Sources	Process: Process Creation, Process: Process Access, Process: Process Metadata, Command: Command Execution, User Account: User Account Modification, Active Directory: Active Directory Object Modification
Mitigations	M1018 (User Account Management), M1026 (Privileged Account Management)
Related Techniques	T1078 (Valid Accounts), T1055 (Process Injection), T1068 (Exploitation for Privilege Escalation), T1550 (Use Alternate Authentication Material)
MITRE ATT&CK Reference	attack.mitre.org/techniques/T1134

Sources and References

• MITRE ATT&CK — T1134 Access Token Manipulation: attack.mitre.org
• MITRE ATT&CK — Qilin Ransomware (S1242): attack.mitre.org
• Elastic Blog — How Attackers Abuse Access Token Manipulation (March 2025): elastic.co
• CrowdStrike — SUNSPOT: An Implant in the Build Process (January 2021): crowdstrike.com
• itm4n — PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019 (2020): itm4n.github.io
• Jorge Lajara — Potatoes: Windows Privilege Escalation (comprehensive Potato family reference): jlajara.gitlab.io
• HackTricks — RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato: book.hacktricks.xyz
• Picus Security — Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Campaigns of 2024 (March 2025): picussecurity.com
• Halcyon — Qilin Threat Group Profile (2025): halcyon.ai
• CISA — T1134 Access Token Manipulation (Eviction Strategies): cisa.gov