sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Rule Contribution: Detect Access Token Manipulation Token Impersonation and Theft

Open marvel90120 opened this issue 3 years ago • 1 comments

title: Detect Access Token Manipulation Token Impersonation and Theft status: experimental description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens. author: Michaela Adams reference: https://attack.mitre.org/techniques/T1134/001/ date: 2022/04/28 logsource: product: windows category: logon_event detection: selection: - EventCode: 4624 - ImpersonationLevel: 'Impersonation' - AuthenticationPackage: 'Negotiate' - LogonType: '9' - LogonProcess: 'Advapi' - ElevatedToken: 'No' falsepositives:

  • Antivirus level: Medium

marvel90120 avatar Apr 28 '22 16:04 marvel90120

Please provide this as pull request.

thomaspatzke avatar May 25 '22 10:05 thomaspatzke