Access Token Manipulation: Кража токена и имперсонация
Other sub-techniques of Access Token Manipulation (5)
Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using DuplicateToken(Ex)
. The token can then be used with ImpersonateLoggedOnUser
to allow the calling thread to impersonate a logged on user's security context, or with SetThreadToken
to assign the impersonated token to a thread.
An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.
Примеры процедур |
|
Название | Описание |
---|---|
FinFisher |
FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
Stuxnet |
Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Citation: Symantec W.32 Stuxnet Dossier) |
Cobalt Strike |
Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020) |
Tarrask |
Tarrask leverages token theft to obtain `lsass.exe` security permissions.(Citation: Tarrask scheduled task) |
Cobalt Strike |
Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual) |
SILENTTRINITY |
SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.(Citation: GitHub SILENTTRINITY Modules July 2019) |
BitPaymer |
BitPaymer can use the tokens of users to create processes on infected systems.(Citation: Crowdstrike Indrik November 2018) |
Shamoon |
Shamoon can impersonate tokens using |
Okrum |
Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(Citation: ESET Okrum July 2019) |
Aria-body |
Aria-body has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020) |
APT28 |
APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll) |
REvil |
REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019) |
Pupy |
Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.(Citation: GitHub Pupy) |
Siloscape |
Siloscape impersonates the main thread of |
FIN8 |
FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021) |
Контрмеры |
|
Контрмера | Описание |
---|---|
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas
command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex)
, ImpersonateLoggedOnUser
, and SetThreadToken
and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
Ссылки
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
- Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
- Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
- Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
- Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
- Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.