Threat actors may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.