Detect Access Token Manipulation (Token Impersonation/Theft)
marvel90120 opened this issue · comments
title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:
- Windows
subtypes: - Access token
analytic_types: - TTP
contributors: - Michaela Adams mvadams@mitre.org
id: CAR-2022-04-001
description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
coverage: - technique: T1134
tactics:- TA0005
- TA0004
subtecniques: - T1134.001
coverage: Moderate
implementations:
- name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call
description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
code: |-
sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
data_model: Windows Event Log
type: Splunk