car
car copied to clipboard
Detect Access Token Manipulation (Token Impersonation/Theft)
title: Detect Access Token Manipulation Token Impersonation and Theft submission_date: 2022/04/28 information_domain: Analytic platforms:
- Windows subtypes:
- Access token analytic_types:
- TTP contributors:
- Michaela Adams [email protected] id: CAR-2022-04-001 description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens. coverage:
- technique: T1134
tactics:
- TA0005
- TA0004 subtecniques:
- T1134.001 coverage: Moderate implementations:
- name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users. code: |- sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No data_model: Windows Event Log type: Splunk