New

The executive guide to generative AI

Read more

PowerShell Script with Token Impersonation Capabilities

edit

PowerShell Script with Token Impersonation Capabilities

edit

Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user’s token to escalate privileges and bypass access controls.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Data Source: PowerShell Logs

Version: 7

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit
event.category:process and host.os.type:windows and
  powershell.file.script_block_text:(
    "Invoke-TokenManipulation" or
    "ImpersonateNamedPipeClient" or
    "NtImpersonateThread" or
    (
      "STARTUPINFOEX" and
      "UpdateProcThreadAttribute"
    ) or
    (
      "AdjustTokenPrivileges" and
      "SeDebugPrivilege"
    ) or
    (
      ("DuplicateToken" or
      "DuplicateTokenEx") and
      ("SetThreadToken" or
      "ImpersonateLoggedOnUser" or
      "CreateProcessWithTokenW" or
      "CreatePRocessAsUserW" or
      "CreateProcessAsUserA")
    )
  ) and not
  (user.id:("S-1-5-18" or "S-1-5-19") and
   file.directory: "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads")
  and not powershell.file.script_block_text : (
    "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
  )

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback