Closed P4nD3m1CB0Y0xD closed 1 month ago
This rule detects the capabilities for manipulating access tokens from the current process.
The sample that I used was: Practical Malware Analysis Lab 01-04.exe_:0x4010FC
We can identify the capability by the sequence of API calls.
rule: meta: name: adjust process token privilege namespace: privilege-escalation/token/ authors: - P4nd3m1cb0y scopes: static: function dynamic: call att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: - Practical Malware Analysis Lab01-04.exe:0x4010FC features: - and: - api: kernel32.GetCurrentProcess - api: advapi32.OpenProcessToken - api: advapi32.LookupPrivilegeValue - api: advapi32.AdjustTokenPrivileges
privilege-escalation/token/
https://medium.com/@s12deff/process-token-manipulation-8983e92a824
Privilege Escalataion::Access Token Maniplulation [T1134]
Prerequisites
Summary
This rule detects the capabilities for manipulating access tokens from the current process.
Examples
The sample that I used was: Practical Malware Analysis Lab 01-04.exe_:0x4010FC
Features
We can identify the capability by the sequence of API calls.
Additional context
Rule details
Namespace
privilege-escalation/token/
References
https://medium.com/@s12deff/process-token-manipulation-8983e92a824
Other rule meta information
Privilege Escalataion::Access Token Maniplulation [T1134]