frack113
40 lines
1.5 KiB
YAML
40 lines
1.5 KiB
YAML
title: Impersonate Execution
|
|
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
|
|
status: experimental
|
|
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
|
|
references:
|
|
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
|
|
- https://github.com/sensepost/impersonate
|
|
author: Sai Prashanth Pulisetti @pulisettis
|
|
date: 2022/12/21
|
|
modified: 2022/12/30
|
|
tags:
|
|
- attack.privilege_escalation
|
|
- attack.defense_evasion
|
|
- attack.t1134.001
|
|
- attack.t1134.003
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_commandline_exe:
|
|
CommandLine|contains: 'impersonate.exe'
|
|
selection_commandline_opt:
|
|
CommandLine|contains:
|
|
- ' list '
|
|
- ' exec '
|
|
- ' adduser '
|
|
selection_hash_plain:
|
|
Hashes|contains:
|
|
- 'MD5=9520714AB576B0ED01D1513691377D01'
|
|
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
|
|
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
|
|
selection_hash_ext:
|
|
- md5: '9520714AB576B0ED01D1513691377D01'
|
|
- sha256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
|
|
- Imphash: '0A358FFC1697B7A07D0E817AC740DF62'
|
|
condition: all of selection_commandline_* or 1 of selection_hash_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|