Monitor for unusual use of DuplicateTokenEx or SetThreadToken API calls, particularly by unauthorized executables.
A token contains crucial security data that token.exe tools interact with: The Security Identifier of the user. Group SIDs: Group memberships. token.exe
Are you looking at a specific open-source (e.g., from a GitHub repo)? from a GitHub repo)?