Detection of token duplication and impersonation attempts by correlating suspicious command-line executions (e.g., runas) with API calls to DuplicateToken, DuplicateTokenEx, ImpersonateLoggedOnUser, or SetThreadToken. The chain includes the initial command execution or in-memory API invocation → token handle duplication or thread token assignment → a new or existing process assuming the impersonated user's context.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| OS API Execution (DC0021) | ETW:Token | api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken |
| Field | Description |
|---|---|
| AllowedSystemProcesses | Whitelist of known processes that legitimately duplicate tokens (e.g., services.exe). |
| TimeWindow | Time interval between API call and subsequent impersonated process (e.g., 5m). |
| UserContextFilter | Filter for service accounts or known administrative accounts that perform legitimate impersonation. |
| ParentProcessAnomalyThreshold | Threshold for parent-child process lineage anomalies indicating token theft. |