Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects creation of default named pipes used by the Koh tool
status testauthor Nasreddine Bencherchali (Nextron Systems)id 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
view Sigma YAML
title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: test
description: Detects creation of default named pipes used by the Koh tool
references:
- https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
modified: 2023-08-07
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.stealth
- attack.t1528
- attack.t1134.001
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\imposecost'
- '\imposingcost'
condition: selection
falsepositives:
- Unlikely
level: critical
high
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
status testauthor Stamatis Chatzimangou (st0pp3r)id 7b14c76a-c602-4ae6-9717-eff868153fc0
view Sigma YAML
title: HackTool - NoFilter Execution
id: 7b14c76a-c602-4ae6-9717-eff868153fc0
status: test
description: |
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
references:
- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
- https://github.com/deepinstinct/NoFilter
- https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
author: Stamatis Chatzimangou (st0pp3r)
date: 2024-01-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1134.001
logsource:
product: windows
service: security
definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
selection_5447:
EventID: 5447
FilterName|contains: 'RonPolicy'
selection_5449:
EventID: 5449
ProviderContextName|contains: 'RonPolicy'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
status testauthor Nasreddine Bencherchali (Nextron Systems)id c7d33b50-f690-4b51-8cfb-0fb912a31e57
view Sigma YAML
title: HackTool - SharpDPAPI Execution
id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
status: test
description: |
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
references:
- https://github.com/GhostPack/SharpDPAPI
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpDPAPI.exe'
- OriginalFileName: 'SharpDPAPI.exe'
selection_other_cli:
CommandLine|contains:
- ' backupkey '
- ' blob '
- ' certificates '
- ' credentials '
- ' keepass '
- ' masterkeys '
- ' rdg '
- ' vaults '
selection_other_options_guid:
CommandLine|contains|all:
- ' {'
- '}:'
selection_other_options_flags:
CommandLine|contains:
- ' /file:'
- ' /machine'
- ' /mkfile:'
- ' /password:'
- ' /pvk:'
- ' /server:'
- ' /target:'
- ' /unprotect'
condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
falsepositives:
- Unknown
level: high
high
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
status testauthor Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)id f89b08d0-77ad-4728-817b-9b16c5a69c7a
view Sigma YAML
title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
- id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
- https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpImpersonation.exe'
- OriginalFileName: 'SharpImpersonation.exe'
selection_cli:
- CommandLine|contains|all:
- ' user:'
- ' binary:'
- CommandLine|contains|all:
- ' user:'
- ' shellcode:'
- CommandLine|contains:
- ' technique:CreateProcessAsUserW'
- ' technique:ImpersonateLoggedOnuser'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status testauthor Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)id ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
high
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status testauthor Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)id 843544a7-56e0-4dcc-a44f-5cc266dd97d6
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ImagePath|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ImagePath|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_id and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
high
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
status testauthor Florian Roth (Nextron Systems)id fa00b701-44c6-4679-994d-5a18afa8a707
view Sigma YAML
title: PUA - AdvancedRun Suspicious Execution
id: fa00b701-44c6-4679-994d-5a18afa8a707
related:
- id: d2b749ee-4225-417e-b20e-a8d2193cbb84
type: similar
status: test
description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.elastic.co/security-labs/operation-bleeding-bear
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '/EXEFilename'
- '/CommandLine'
selection_runas:
- CommandLine|contains:
- ' /RunAs 8 '
- ' /RunAs 4 '
- ' /RunAs 10 '
- ' /RunAs 11 '
- CommandLine|endswith:
- '/RunAs 8'
- '/RunAs 4'
- '/RunAs 10'
- '/RunAs 11'
condition: all of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml
high
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
status testauthor Teymur Kheirkhabarov, Ecco, Florian Rothid 15619216-e993-4721-b590-4c520615a67d
view Sigma YAML
title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019-10-26
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\services.exe'
selection_technique_1:
# Examples:
# Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
CommandLine|contains|all:
- '/c'
- 'echo'
- '\pipe\'
CommandLine|contains:
- 'cmd'
- '%COMSPEC%'
selection_technique_2:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
filter_defender:
CommandLine|contains: 'MpCmdRun'
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high
high
Suspicious Child Process Created as System
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
status testauthor Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)id 590a5f4c-6c8c-4f10-8307-89afe9453a9d
view Sigma YAML
title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://github.com/antonioCoco/RogueWinRM
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
logsource:
category: process_creation
product: windows
definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
selection:
ParentUser|contains:
- 'AUTHORI'
- 'AUTORI'
ParentUser|endswith:
- '\NETWORK SERVICE'
- '\LOCAL SERVICE'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|endswith: # System
- '\SYSTEM'
- '\Système'
- '\СИСТЕМА'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
high
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
status testauthor Florian Roth (Nextron Systems), David ANDRE (additional keywords)id 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
view Sigma YAML
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
medium
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
status stableauthor Thomas Patzke, @atc_project (improvements)id 2632954e-db1c-49cb-9936-67d1ef1d17d2
view Sigma YAML
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1134.005
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
filter_null:
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium
medium
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
status testauthor Sai Prashanth Pulisetti @pulisettisid cf0c254b-22f1-4b2b-8221-e137b3c0af94
view Sigma YAML
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
medium
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
status testauthor Florian Roth (Nextron Systems)id d2b749ee-4225-417e-b20e-a8d2193cbb84
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
status testauthor Michaela Adams, Zach Mathisid 02f7c9c1-1ae8-4c6a-8add-04693807f92f
view Sigma YAML
title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
- https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
- https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- stp.4u
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: 'Advapi'
AuthenticationPackageName: 'Negotiate'
ImpersonationLevel: '%%1833' # Impersonation
condition: selection
falsepositives:
- Anti-Virus
level: medium