« Potential Port Monitor or Print Processor Registration Abuse Suspicious Print Spooler Point and Print DLL »
Elastic Docs Elastic Security Solution [8.16] Downloadable rule update v8.3.3

PowerShell Script with Token Impersonation Capabilities

edit

PowerShell Script with Token Impersonation Capabilities

edit

Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user’s token to escalate privileges and bypass access controls.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation
  • PowerShell

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit











Rule query
edit








event.category:process and
  powershell.file.script_block_text:(
    "Invoke-TokenManipulation" or
    "ImpersonateNamedPipeClient" or
    "NtImpersonateThread" or
    (
      "STARTUPINFOEX" and
      "UpdateProcThreadAttribute"
    ) or
    (
      "AdjustTokenPrivileges" and
      "SeDebugPrivilege"
    ) or
    (
      ("DuplicateToken" or
      "DuplicateTokenEx") and
      ("SetThreadToken" or
      "ImpersonateLoggedOnUser" or
      "CreateProcessWithTokenW" or
      "CreatePRocessAsUserW" or
      "CreateProcessAsUserA")
    )
  ) and not user.id : "S-1-5-18"




Framework: MITRE ATT&CKTM
















« Potential Port Monitor or Print Processor Registration Abuse


Suspicious Print Spooler Point and Print DLL »