Detect Access Token Manipulation (Token Impersonation/Theft)

[marvel90120]

title: Detect Access Token Manipulation Token Impersonation and Theft submission_date: 2022/04/28 information_domain: Analytic platforms:

• Windows subtypes:
• Access token analytic_types:
• TTP contributors:
• Michaela Adams [email protected] id: CAR-2022-04-001 description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens. coverage:
• technique: T1134 tactics:
  • TA0005
  • TA0004 subtecniques:
  • T1134.001 coverage: Moderate implementations:
• name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users. code: |- sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No data_model: Windows Event Log type: Splunk