Find sigma rule 
Attack: Access Token Manipulation: Token Impersonation/Theft
Adversaries may duplicate then impersonate another user’s existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using DuplicateToken or DuplicateTokenEx.(Citation: DuplicateToken function) The token can then be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreadToken to assign the impersonated token to a thread.
An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.
When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using CreateProcessWithTokenW or CreateProcessAsUserW. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.
MITRE
Tactic
- defense-evasion
- privilege-escalation
technique
- T1134.001
Test : Juicy Potato
OS
- windows
Description:
This Atomic utilizes Juicy Potato to obtain privilege escalation. Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions. This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. Reference
Executor
powershell