Skip to content

Detect Access Token Manipulation (Token Impersonation/Theft) #153

Open
Open
Detect Access Token Manipulation (Token Impersonation/Theft)#153
@marvel90120

Description

@marvel90120
marvel90120
opened on Apr 28, 2022

title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:

  • Windows
    subtypes:
  • Access token
    analytic_types:
  • TTP
    contributors:
  • Michaela Adams mvadams@mitre.org
    id: CAR-2022-04-001
    description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
    coverage:
  • technique: T1134
    tactics:
    • TA0005
    • TA0004
      subtecniques:
    • T1134.001
      coverage: Moderate
      implementations:
  • name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call
    description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
    code: |-
    sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
    data_model: Windows Event Log
    type: Splunk

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions