Potential Access Token Abuse

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Sigma rule (View on GitHub)

 1title: Potential Access Token Abuse
 2id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
 3status: experimental
 4description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
 5references:
 6    - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
 7    - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
 8author: Michaela Adams, Zach Mathis
 9date: 2022/11/06
10modified: 2023/04/26
11tags:
12    - attack.defense_evasion
13    - attack.privilege_escalation
14    - attack.t1134.001
15    - stp.4u
16logsource:
17    product: windows
18    service: security
19detection:
20    selection:
21        EventID: 4624
22        LogonType: 9
23        LogonProcessName: 'Advapi'
24        AuthenticationPackageName: 'Negotiate'
25        ImpersonationLevel: '%%1833' # Impersonation
26    condition: selection
27falsepositives:
28    - Anti-Virus
29level: medium

References

Related rules

to-top