Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Sigma rule (View on GitHub)
1title: Potential Access Token Abuse
2id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
3status: test
4description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
5references:
6 - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
7 - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
8author: Michaela Adams, Zach Mathis
9date: 2022-11-06
10modified: 2023-04-26
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1134.001
15 - stp.4u
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID: 4624
22 LogonType: 9
23 LogonProcessName: 'Advapi'
24 AuthenticationPackageName: 'Negotiate'
25 ImpersonationLevel: '%%1833' # Impersonation
26 condition: selection
27falsepositives:
28 - Anti-Virus
29level: medium
References
Related rules
- HackTool - SharpDPAPI Execution
- HackTool - SharpImpersonation Execution
- APT PRIVATELOG Image Load Pattern
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS