Detection of suspicious token manipulation chains: use of token-related APIs (e.g., LogonUser, DuplicateTokenEx) or commands (runas) → spawning of a new process under a different security context (e.g., SYSTEM) → mismatched parent-child process lineage or anomalies in Event Tracing for Windows (ETW) token/PPID data → abnormal lateral or privilege escalation activity.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624, 4672 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| OS API Execution (DC0021) | ETW:Token | token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser |
| Active Directory Object Modification (DC0066) | WinEventLog:DirectoryService | EventCode=5136 |
| Field | Description |
|---|---|
| TimeWindow | Correlation time between suspicious API usage, runas, and process creation (e.g., 5–10m). |
| AllowedServiceAccounts | Whitelist of service accounts permitted to spawn SYSTEM-level processes. |
| KnownAdminTools | Legitimate administrative utilities that trigger token changes. |
| ParentProcessAnomalyThreshold | Deviation threshold for PPID mismatches detected via ETW. |