{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/token-impersonation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","token-impersonation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies the creation of a process impersonating the token of another user logon session on Windows. Adversaries may duplicate tokens to create processes with elevated privileges, bypassing security controls. This technique is used for privilege escalation. The rule flags suspicious process creation by examining token usage patterns, process origins, and recent file modifications, while excluding known legitimate behaviors, to flag potential privilege escalation attempts. The rule is designed for data generated by Elastic Endpoint 8.4+.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a user logon session with higher privileges than their current session.\u003c/li\u003e\n\u003cli\u003eThe attacker duplicates the token of the identified user logon session using API calls like \u003ccode\u003eDuplicateTokenEx\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the duplicated token to create a new process using \u003ccode\u003eCreateProcessWithTokenW\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe new process inherits the privileges of the duplicated token.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or tools within the context of the newly created process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system, allowing them to perform actions they were previously unauthorized to do.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to escalate privileges on the compromised system, potentially gaining administrative or system-level access. This can lead to unauthorized access to sensitive data, installation of malware, lateral movement to other systems on the network, and ultimately, complete control over the affected environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Elastic Defend to collect the necessary process creation and event data to activate this rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Process Created with a Duplicated Token\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule, focusing on processes with unusual parent-child relationships or unsigned code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-process-created-with-duplicated-token/","summary":"This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.","title":"Process Created with a Duplicated Token","url":"https://feed.craftedsignal.io/briefs/2024-01-process-created-with-duplicated-token/"}],"language":"en","title":"CraftedSignal Threat Feed — Token-Impersonation","version":"https://jsonfeed.org/version/1.1"}