← Back to Explore
sigmamediumHunting
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Detection Query
selection_commandline_exe:
CommandLine|contains: impersonate.exe
selection_commandline_opt:
CommandLine|contains:
- " list "
- " exec "
- " adduser "
selection_hash:
Hashes|contains:
- MD5=9520714AB576B0ED01D1513691377D01
- SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A
- IMPHASH=0A358FFC1697B7A07D0E817AC740DF62
condition: all of selection_commandline_* or selection_hash
Author
Sai Prashanth Pulisetti @pulisettis
Created
2022-12-21
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1134.001attack.t1134.003
Raw Content
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium