{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/token-manipulation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","token-manipulation","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe NewCredentials logon type in Windows allows a process to impersonate a user without initiating a new logon session. While legitimate uses exist, adversaries can abuse this mechanism to forge access tokens, enabling privilege escalation and bypassing security controls. This detection focuses on identifying unusual processes that perform NewCredentials logons, excluding common system paths and service accounts. This approach aims to highlight potential access token manipulation attacks that might otherwise go unnoticed. The rule specifically looks for authentication events on Windows systems where the logon type is NewCredentials and the LogonProcessName is Advapi, excluding events where the SubjectUserName ends with \u0026lsquo;$\u0026rsquo; (service accounts) and the process executable resides within Program Files or Program Files (x86) directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes a tool capable of access token manipulation.\u003c/li\u003e\n\u003cli\u003eThe malicious tool generates a NewCredentials logon event using \u003ccode\u003eAdvapi*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe tool attempts to impersonate a privileged user account.\u003c/li\u003e\n\u003cli\u003eThe compromised process assumes the identity of the targeted user.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the elevated privileges to access sensitive resources or perform unauthorized actions.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network, leveraging the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data breaches, and lateral movement within the network. The risk score associated with this behavior is 47, indicating a notable level of concern. While the number of victims and targeted sectors is not specified, the potential impact of privilege escalation warrants immediate investigation and remediation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;First Time Seen NewCredentials Logon Process\u0026rdquo; rule to your SIEM and tune for your environment to detect unusual processes performing NewCredentials logons.\u003c/li\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary events for the detection rule to function as described in the setup instructions [https://ela.st/audit-logon].\u003c/li\u003e\n\u003cli\u003eReview and update access control policies and token management practices to mitigate the risk of access token manipulation.\u003c/li\u003e\n\u003cli\u003eConsult threat intelligence sources to determine if the identified process or behavior is associated with known malicious activity or threat actors as documented in the reference [https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation].\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-newcreds-logon-process/","summary":"Anomalous NewCredentials logon events triggered by uncommon processes may indicate access token manipulation for privilege escalation.","title":"Unusual Process Performing NewCredentials Logon","url":"https://feed.craftedsignal.io/briefs/2024-01-newcreds-logon-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","token-manipulation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies processes running under non-SYSTEM accounts that enable the SeDebugPrivilege. This privilege, typically reserved for system-level tasks, allows a process to debug and modify other processes. Adversaries may enable SeDebugPrivilege to escalate their privileges and bypass access controls, potentially gaining unauthorized access to sensitive data or system resources. The rule aims to detect suspicious processes enabling this privilege, excluding known legitimate processes, to flag potential privilege escalation attempts. This rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious process on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to enable the SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eWindows Security Auditing logs a \u0026ldquo;Token Right Adjusted Events\u0026rdquo; event, indicating that a process has enabled SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eThe detection rule identifies the event, filtering out known legitimate processes that may legitimately enable this privilege (e.g., msiexec.exe, taskhostw.exe).\u003c/li\u003e\n\u003cli\u003eThe rule triggers an alert, indicating a potential privilege escalation attempt.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the legitimacy of the process enabling SeDebugPrivilege and the context of its execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and enabling of SeDebugPrivilege can allow an attacker to debug and modify other processes, potentially gaining access to sensitive information, escalating privileges to SYSTEM level, and bypassing security controls. This can lead to a complete compromise of the affected system and potentially lateral movement to other systems on the network. The impact is high, especially in environments where sensitive data is processed or stored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Token Right Adjusted Events to ensure proper logging of SeDebugPrivilege usage as per the \u003ca href=\"https://ela.st/audit-token-right-adjusted-events\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;SeDebugPrivilege Enabled by a Suspicious Process\u0026rdquo; Sigma rule to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion list in the Sigma rule to minimize false positives, considering legitimate processes in your environment, as described in the \u003ca href=\"#false-positive-analysis\"\u003eFalse positive analysis\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the process enabling SeDebugPrivilege.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unauthorized access or lateral movement following the detection of SeDebugPrivilege enabling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-sedebugpriv-enabled/","summary":"The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.","title":"SeDebugPrivilege Enabled by a Suspicious Process","url":"https://feed.craftedsignal.io/briefs/2024-01-sedebugpriv-enabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Token-Manipulation","version":"https://jsonfeed.org/version/1.1"}