Michaela Adams mvadams@mitre.org
id: CAR-2022-04-001
description: This analytic detects the use of Access Token Manipulation, specifically token impersonation and theft. This analytic detects the use of DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating tokens.
coverage:
technique: T1134
tactics:
TA0005
TA0004
subtecniques:
T1134.001
coverage: Moderate
implementations:
name: Splunk Search - Access Token Manipulation Token Impersonation/Theft through Windows API call
description: This analytic detects the use of Access Token Manipulation with the LOGON32_LOGON_NEW_CREDENTIALS flag to prevent adversaries and tools from impersonating users.
code: |-
sourcetype=WinEventLog EventCode=4624 Impersonation_Level=Impersonation Authentication_Package=Negotiate Logon_Type=9 Logon_Process=Advapi Elevated_Token=No
data_model: Windows Event Log
type: Splunk
title: Detect Access Token Manipulation Token Impersonation and Theft submission_date: 2022/04/28 information_domain: Analytic platforms: