https://feed.craftedsignal.io/tags/token-manipulation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 24 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-newcreds-logon-process/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-newcreds-logon-process/Anomalous NewCredentials logon events triggered by uncommon processes may indicate access token manipulation for privilege escalation.The NewCredentials logon type in Windows allows a process to impersonate a user without initiating a new logon session. While legitimate uses exist, adversaries can abuse this mechanism to forge access tokens, enabling privilege escalation and bypassing security controls. This detection focuses on identifying unusual processes that perform NewCredentials logons, excluding common system paths and service accounts. This approach aims to highlight potential access token manipulation attacks that might otherwise go unnoticed. The rule specifically looks for authentication events on Windows systems where the logon type is NewCredentials and the LogonProcessName is Advapi, excluding events where the SubjectUserName ends with ‘$’ (service accounts) and the process executable resides within Program Files or Program Files (x86) directories.

Attack Chain

1. An attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).
2. The attacker deploys or utilizes a tool capable of access token manipulation.
3. The malicious tool generates a NewCredentials logon event using Advapi*.
4. The tool attempts to impersonate a privileged user account.
5. The compromised process assumes the identity of the targeted user.
6. The attacker uses the elevated privileges to access sensitive resources or perform unauthorized actions.
7. The attacker attempts to move laterally to other systems within the network, leveraging the stolen credentials.
8. The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation can lead to complete system compromise, data breaches, and lateral movement within the network. The risk score associated with this behavior is 47, indicating a notable level of concern. While the number of victims and targeted sectors is not specified, the potential impact of privilege escalation warrants immediate investigation and remediation.

Recommendation

• Deploy the “First Time Seen NewCredentials Logon Process” rule to your SIEM and tune for your environment to detect unusual processes performing NewCredentials logons.
• Enable Audit Logon to generate the necessary events for the detection rule to function as described in the setup instructions [https://ela.st/audit-logon].
• Review and update access control policies and token management practices to mitigate the risk of access token manipulation.
• Consult threat intelligence sources to determine if the identified process or behavior is associated with known malicious activity or threat actors as documented in the reference [https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation].

]]>mediumadvisoryprivilege-escalationtoken-manipulationwindowshttps://feed.craftedsignal.io/briefs/2024-01-sedebugpriv-enabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-sedebugpriv-enabled/The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.This detection rule identifies processes running under non-SYSTEM accounts that enable the SeDebugPrivilege. This privilege, typically reserved for system-level tasks, allows a process to debug and modify other processes. Adversaries may enable SeDebugPrivilege to escalate their privileges and bypass access controls, potentially gaining unauthorized access to sensitive data or system resources. The rule aims to detect suspicious processes enabling this privilege, excluding known legitimate processes, to flag potential privilege escalation attempts. This rule was last updated on 2026-05-04.

Attack Chain

1. An attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).
2. The attacker executes a malicious process on the compromised system.
3. The malicious process attempts to enable the SeDebugPrivilege.
4. Windows Security Auditing logs a “Token Right Adjusted Events” event, indicating that a process has enabled SeDebugPrivilege.
5. The detection rule identifies the event, filtering out known legitimate processes that may legitimately enable this privilege (e.g., msiexec.exe, taskhostw.exe).
6. The rule triggers an alert, indicating a potential privilege escalation attempt.
7. Security analysts investigate the alert to determine the legitimacy of the process enabling SeDebugPrivilege and the context of its execution.

Impact

Successful exploitation and enabling of SeDebugPrivilege can allow an attacker to debug and modify other processes, potentially gaining access to sensitive information, escalating privileges to SYSTEM level, and bypassing security controls. This can lead to a complete compromise of the affected system and potentially lateral movement to other systems on the network. The impact is high, especially in environments where sensitive data is processed or stored.

Recommendation

• Enable Audit Token Right Adjusted Events to ensure proper logging of SeDebugPrivilege usage as per the setup instructions.
• Deploy the “SeDebugPrivilege Enabled by a Suspicious Process” Sigma rule to your SIEM to detect potential privilege escalation attempts.
• Review and tune the exclusion list in the Sigma rule to minimize false positives, considering legitimate processes in your environment, as described in the False positive analysis.
• Investigate any alerts generated by the Sigma rule to determine the legitimacy of the process enabling SeDebugPrivilege.
• Monitor systems for unauthorized access or lateral movement following the detection of SeDebugPrivilege enabling.

]]>mediumadvisoryprivilege-escalationtoken-manipulationwindows