Access Token Manipulation: Создание процесса с помощью токена
Other sub-techniques of Access Token Manipulation (5)
Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).
Примеры процедур |
|
| Название | Описание |
|---|---|
| Azorult |
Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.(Citation: Unit42 Azorult Nov 2018) |
| Turla |
Turla RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019) |
| PipeMon |
PipeMon can attempt to gain administrative privileges using token impersonation.(Citation: ESET PipeMon May 2020) |
| Lazarus Group |
Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call |
| PoshC2 |
PoshC2 can use Invoke-RunAs to make tokens.(Citation: GitHub PoshC2) |
| Aria-body |
Aria-body has the ability to execute a process using |
| REvil |
REvil can launch an instance of itself with administrative rights using runas.(Citation: Secureworks REvil September 2019) |
| ZxShell |
ZxShell has a command called RunAs, which creates a new process as another user or process context.(Citation: Talos ZxShell Oct 2014) |
| WhisperGate |
The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run`.(Citation: Cisco Ukraine Wipers January 2022) |
| KONNI |
KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) |
| Bankshot |
Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.(Citation: McAfee Bankshot) |
| Empire |
Empire can use |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
If an adversary is using a standard command-line shell (i.e. Windows Command Shell), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
Ссылки
- Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
- Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
- Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
- Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.