Detect Access Token Manipulation (Token Impersonation/Theft) #153
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
{{ message }}
and others
title: Detect Access Token Manipulation Token Impersonation and Theft
submission_date: 2022/04/28
information_domain: Analytic
platforms:
subtypes:
analytic_types:
contributors:
id: CAR-2022-04-001
description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
coverage:
tactics:
subtecniques:
coverage: Moderate
implementations:
description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
code: |-
sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
data_model: Windows Event Log
type: Splunk
The text was updated successfully, but these errors were encountered: