Local Account TokenFilter Policy Modification for Defense Evasion
Modification of the LocalAccountTokenFilterPolicy registry key to enable high-integrity tokens for local administrator accounts is detected, potentially allowing attackers to bypass User Account Control (UAC) and facilitate lateral movement.
The LocalAccountTokenFilterPolicy is a Windows registry setting that, when configured, permits remote connections from local administrators to utilize full high-integrity tokens. This behavior deviates from the default Windows security model and can be abused by attackers to bypass User Account Control (UAC) and elevate privileges remotely. The modification of this setting is often employed as a defense evasion and lateral movement technique. This rule detects changes to the LocalAccountTokenFilterPolicy registry value, specifically when it is set to 1, which enables the aforementioned behavior. Monitoring for this modification helps defenders identify potential attempts to weaken system security and facilitate unauthorized access. This activity is associated with threat actors attempting to use pass-the-hash techniques.
Attack Chain
- Initial Access: The attacker gains initial access to a system, potentially through compromised credentials or exploitation of a vulnerability.
- Privilege Escalation: The attacker escalates privileges on the local system using exploits or misconfigurations.
- Registry Modification: The attacker modifies the
LocalAccountTokenFilterPolicyregistry value to1, enabling high-integrity tokens for local administrators. This is achieved by writing toHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy. - Credential Access: The attacker leverages tools like Mimikatz to extract credentials from the system's memory.
- Pass the Hash: With the
LocalAccountTokenFilterPolicyenabled, the attacker uses "pass-the-hash" techniques to authenticate to other systems on the network using the stolen credentials. - Lateral Movement: The attacker moves laterally to other systems on the network, gaining access to sensitive data and resources.
- Defense Evasion: By using legitimate administrator accounts with high-integrity tokens, the attacker bypasses security controls and avoids detection.
Impact
Successful modification of the LocalAccountTokenFilterPolicy can lead to widespread compromise of systems within a network. Attackers can move laterally with elevated privileges, gaining access to sensitive data, installing malware, or disrupting business operations. The number of affected systems depends on the scope of the attacker's lateral movement capabilities. Sectors heavily reliant on Windows-based networks are particularly vulnerable.
Recommendation
- Deploy the Sigma rules provided in this brief to your SIEM to detect unauthorized modifications to the
LocalAccountTokenFilterPolicyregistry key. - Enable Sysmon process creation logging to improve visibility into the processes modifying the registry, allowing for better attribution and context (reference: Sigma rule
Local Account TokenFilter Policy Modification). - Review and whitelist legitimate uses of tools that may modify the
LocalAccountTokenFilterPolicyto reduce false positives, referencing the existing exclusions in the provided EQL query. - Implement strict password policies and multi-factor authentication to mitigate the risk of credential theft and "pass-the-hash" attacks (reference: MITRE ATT&CK T1550.002).
- Monitor for remote connections initiated by local administrator accounts, which may indicate exploitation of the
LocalAccountTokenFilterPolicyvulnerability.
Detection coverage 2
Local Account TokenFilter Policy Modification
mediumDetects modification of the LocalAccountTokenFilterPolicy registry value.
Local Account TokenFilter Policy Modification via PowerShell
highDetects modification of the LocalAccountTokenFilterPolicy registry value via PowerShell.
Detection queries are available on the platform. Get full rules →