Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Access Token Manipulation:  Кража токена и имперсонация

Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread. An adversary may perform Token Impersonation/Theft when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system. When an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally Create Process with Token using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. Token Impersonation/Theft is also distinct from Make and Impersonate Token in that it refers to duplicating an existing token, rather than creating a new one.

ID: T1134.001
Относится к технике:  T1134
Тактика(-и): Defense Evasion, Privilege Escalation
Платформы: Windows
Источники данных: Command: Command Execution, Process: OS API Execution
Версия: 1.2
Дата создания: 18 Feb 2020
Последнее изменение: 10 Jan 2024

Примеры процедур

Название Описание
FinFisher

FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Emotet

Emotet has the ability to duplicate the user’s token.(Citation: Binary Defense Emotes Wi-Fi Spreader) For example, Emotet may use a variant of Google’s ProtoBuf to send messages that specify how code will be executed.(Citation: emotet_hc3_nov2023)

Stuxnet

Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

During HomeLand Justice, threat actors used custom tooling to acquire tokens using `ImpersonateLoggedOnUser/SetThreadToken`.(Citation: Microsoft Albanian Government Attacks September 2022)

Cobalt Strike

Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)

Tarrask

Tarrask leverages token theft to obtain `lsass.exe` security permissions.(Citation: Tarrask scheduled task)

Cobalt Strike

Cobalt Strike can steal access tokens from exiting processes.(Citation: cobaltstrike manual)

SILENTTRINITY

SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.(Citation: GitHub SILENTTRINITY Modules July 2019)

BitPaymer

BitPaymer can use the tokens of users to create processes on infected systems.(Citation: Crowdstrike Indrik November 2018)

Shamoon

Shamoon can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient.(Citation: McAfee Shamoon December 2018)

Okrum

Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.(Citation: ESET Okrum July 2019)

Aria-body

Aria-body has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020)

APT28

APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.(Citation: FireEye Op RussianDoll)

REvil

REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019)

Pupy

Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.(Citation: GitHub Pupy)

BADHATCH

BADHATCH can impersonate a `lsass.exe` or `vmtoolsd.exe` token.(Citation: BitDefender BADHATCH Mar 2021)

Siloscape

Siloscape impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.(Citation: Unit 42 Siloscape Jun 2021)

FIN8

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023)

Контрмеры

Контрмера Описание
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Обнаружение

If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging) Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex), ImpersonateLoggedOnUser , and SetThreadToken and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Ссылки

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  2. Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.
  3. Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
  4. FinFisher. (n.d.). Retrieved September 12, 2024.
  5. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  6. Office of Information Security, Health Sector Cybersecurity Coordination Center. (2023, November 16). Emotet Malware: The Enduring and Persistent Threat to the Health Sector. Retrieved June 19, 2024.
  7. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  8. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  9. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  10. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  11. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  12. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  13. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  14. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  15. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  16. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  17. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  18. FireEye Labs. (2015, April 18). Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack. Retrieved April 24, 2017.
  19. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  20. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  21. Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
  22. Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
  23. Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
  24. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  25. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  26. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  27. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.