search

mandiant / capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs
https://github.com/mandiant/capa/
Apache License 2.0
514 stars 157 forks source link

rule idea: adjust process token privilege #910

Closed P4nD3m1CB0Y0xD closed 1 month ago

P4nD3m1CB0Y0xD commented 1 month ago

Prerequisites

Summary

This rule detects the capabilities for manipulating access tokens from the current process.

Examples

The sample that I used was: Practical Malware Analysis Lab 01-04.exe_:0x4010FC

Features

We can identify the capability by the sequence of API calls.

Additional context

Rule details

rule:
  meta:
    name: adjust process token privilege
    namespace: privilege-escalation/token/
    authors:
      - P4nd3m1cb0y
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Privilege Escalation::Access Token Manipulation [T1134]
    examples:
      - Practical Malware Analysis Lab01-04.exe:0x4010FC
  features:
    - and:
      - api: kernel32.GetCurrentProcess
      - api: advapi32.OpenProcessToken
      - api: advapi32.LookupPrivilegeValue
      - api: advapi32.AdjustTokenPrivileges

Namespace

privilege-escalation/token/

References

https://medium.com/@s12deff/process-token-manipulation-8983e92a824

Other rule meta information

Privilege Escalataion::Access Token Maniplulation [T1134]