Detectionmediumtest
Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Michaela Adams, Zach MathisCreated Sun Nov 06Updated Wed Apr 2602f7c9c1-1ae8-4c6a-8add-04693807f92fwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: 'Advapi'
AuthenticationPackageName: 'Negotiate'
ImpersonationLevel: '%%1833' # Impersonation
condition: selectionFalse Positives
Anti-Virus
MITRE ATT&CK
Sub-techniques
Other
stp.4u
Rule Metadata
Rule ID
02f7c9c1-1ae8-4c6a-8add-04693807f92f
Status
test
Level
medium
Type
Detection
Created
Sun Nov 06
Modified
Wed Apr 26
Author
Path
rules/windows/builtin/security/account_management/win_security_access_token_abuse.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1134.001stp.4u