Find sigma rule

Attack: Access Token Manipulation: Token Impersonation/Theft

Adversaries may duplicate then impersonate another user’s existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx.(Citation: DuplicateToken function) The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.

An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.

When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

MITRE

Tactic

defense-evasion
privilege-escalation

technique

T1134.001

Test : Launch NSudo Executable

OS

windows

Description:

Launches the NSudo executable for a short period of time and then exits. NSudo download observed after maldoc execution. NSudo is a system management tool for advanced users to launch programs with full privileges.

Executor

powershell

Sigma Rule

proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
proc_creation_win_pua_nsudo.yml (id: 771d1eb5-9587-4568-95fb-9ec44153a012)
proc_access_win_lsass_susp_source_process.yml (id: fa34b441-961a-42fa-a100-ecc28c886725)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test