Skip to content

Detect Access Token Manipulation (Token Impersonation/Theft) #153

New issue
New issue
Open
Open
Detect Access Token Manipulation (Token Impersonation/Theft)#153
@marvel90120

Description

@marvel90120
marvel90120
opened on Apr 28, 2022

title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:

  • Windows
    subtypes:
  • Access token
    analytic_types:
  • TTP
    contributors:
  • Michaela Adams mvadams@mitre.org
    id: CAR-2022-04-001
    description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
    coverage:
  • technique: T1134
    tactics:
    • TA0005
    • TA0004
      subtecniques:
    • T1134.001
      coverage: Moderate
      implementations:
  • name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call
    description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
    code: |-
    sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
    data_model: Windows Event Log
    type: Splunk

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions