EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Access Token Abuse

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

MITRE ATT&CK

T1134.001
defense-evasionprivilege-escalation

Detection Query

selection:
  EventID: 4624
  LogonType: 9
  LogonProcessName: Advapi
  AuthenticationPackageName: Negotiate
  ImpersonationLevel: "%%1833"
condition: selection

Author

Michaela Adams, Zach Mathis

Created

2022-11-06

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.defense-evasionattack.privilege-escalationattack.t1134.001stp.4u
Raw Content
title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
    - https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
    - https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1134.001
    - stp.4u
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        LogonProcessName: 'Advapi'
        AuthenticationPackageName: 'Negotiate'
        ImpersonationLevel: '%%1833' # Impersonation
    condition: selection
falsepositives:
    - Anti-Virus
level: medium