Potential Access Token Abuse

calendarMay 2, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1134.001  ·
Share on: linkedincopy

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Sigma rule (View on GitHub)

 1title: Potential Access Token Abuse
 2id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
 3status: experimental
 4description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
 5references:
 6    - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
 7    - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
 8author: Michaela Adams, Zach Mathis
 9date: 2022/11/06
10modified: 2023/04/26
11tags:
12    - attack.defense_evasion
13    - attack.privilege_escalation
14    - attack.t1134.001
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 4624
21        LogonType: 9
22        LogonProcessName: 'Advapi'
23        AuthenticationPackageName: 'Negotiate'
24        ImpersonationLevel: '%%1833' # Impersonation
25    condition: selection
26falsepositives:
27    - Anti-Virus
28level: medium

Related rules

to-top