Token-Impersonation — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/token-impersonation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Process Created with a Duplicated Tokenhttps://feed.craftedsignal.io/briefs/2024-01-process-created-with-duplicated-token/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-process-created-with-duplicated-token/This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.This detection rule identifies the creation of a process impersonating the token of another user logon session on Windows. Adversaries may duplicate tokens to create processes with elevated privileges, bypassing security controls. This technique is used for privilege escalation. The rule flags suspicious process creation by examining token usage patterns, process origins, and recent file modifications, while excluding known legitimate behaviors, to flag potential privilege escalation attempts. The rule is designed for data generated by Elastic Endpoint 8.4+.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.
  2. The attacker identifies a user logon session with higher privileges than their current session.
  3. The attacker duplicates the token of the identified user logon session using API calls like DuplicateTokenEx.
  4. The attacker uses the duplicated token to create a new process using CreateProcessWithTokenW.
  5. The new process inherits the privileges of the duplicated token.
  6. The attacker executes malicious commands or tools within the context of the newly created process.
  7. The attacker gains elevated privileges on the system, allowing them to perform actions they were previously unauthorized to do.

Impact

Successful exploitation allows an attacker to escalate privileges on the compromised system, potentially gaining administrative or system-level access. This can lead to unauthorized access to sensitive data, installation of malware, lateral movement to other systems on the network, and ultimately, complete control over the affected environment.

Recommendation

  • Enable Elastic Defend to collect the necessary process creation and event data to activate this rule.
  • Deploy the Sigma rule Detect Process Created with a Duplicated Token to your SIEM and tune for your environment.
  • Investigate any alerts generated by the rule, focusing on processes with unusual parent-child relationships or unsigned code.
]]>mediumadvisoryprivilege-escalationtoken-impersonationwindows