Access Token Manipulation: Создание токена и имперсонация
Other sub-techniques of Access Token Manipulation (5)
Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the LogonUser
function. The function will return a copy of the new session's access token and the adversary can use SetThreadToken
to assign the token to a thread.
Примеры процедур |
|
Название | Описание |
---|---|
Cobalt Strike |
Cobalt Strike can make tokens from known credentials.(Citation: cobaltstrike manual) |
Cobalt Strike |
Cobalt Strike can make tokens from known credentials.(Citation: cobaltstrike manual) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
User Account Management |
Manage the creation, modification, use, and permissions associated to user accounts. |
Обнаружение
If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas
command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)
If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
Analysts can also monitor for use of Windows APIs such as LogonUser
and SetThreadToken
and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
Ссылки
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.
- Microsoft TechNet. (n.d.). Runas. Retrieved April 21, 2017.
- Brower, N., Lich, B. (2017, April 19). Replace a process level token. Retrieved December 19, 2017.
- Brower, N., Lich, B. (2017, April 19). Create a token object. Retrieved December 19, 2017.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.