EXPLORE

← Back to Explore

T1134

Access Token Manipulation

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new toke...

Windows

28

Detections

4

Sources

3

Threat Actors

BY SOURCE

20elastic3kql3splunk_escu2sigma

PROCEDURES (24)

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Credential2 detections

Auto-extracted: 2 detections for credential

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Named Pipe1 detections

Auto-extracted: 1 detections for named pipe

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Credential1 detections

Auto-extracted: 1 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Lateral1 detections

Auto-extracted: 1 detections for lateral

Bypass1 detections

Auto-extracted: 1 detections for bypass

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Inject1 detections

Auto-extracted: 1 detections for inject

THREAT ACTORS (3)

Blue Mockingbird FIN6 Lotus Blossom

DETECTIONS (28)

*Detection Title*

All BlackCat/ALPHV Ransomware IOCs with one KQL query

Credential Manipulation - Detected - Elastic Endgame

Credential Manipulation - Prevented - Elastic Endgame

First Time Seen NewCredentials Logon Process

HackTool - NoFilter Execution

Interactive Logon by an Unusual Process

Kubernetes API Request Impersonating Privileged Identity

Parent Process PID Spoofing

Permission Theft - Detected - Elastic Endgame

Permission Theft - Prevented - Elastic Endgame

Potential PowerShell HackTool Script by Function Names

PowerShell Script with Token Impersonation Capabilities

Privilege Escalation via Named Pipe Impersonation

Privilege Escalation via Rogue Named Pipe Impersonation

Privileges Elevation via Parent Process PID Spoofing

Process Created with a Duplicated Token

Process Created with an Elevated Token

Process Creation via Secondary Logon

Process Primary Token Elevated to SeDebugPrivilege

SeDebugPrivilege Enabled by a Suspicious Process

Spike in Special Privilege Use Events

Suspicious SeIncreaseBasePriorityPrivilege Use

Suspicious SYSTEM User Process Creation

Unusual Parent-Child Relationship

Windows Privilege Escalation Suspicious Process Elevation

Windows Privilege Escalation System Process Without System Parent

Windows Privilege Escalation User Process Spawn System Process