Techniques
Sample rules
Potential Access Token Abuse
- source: sigma
- technicques:
- t1134
- t1134.001
Description
Detects potential token impersonation and theft. Example, when using “DuplicateToken(Ex)” and “ImpersonateLoggedOnUser” with the “LOGON32_LOGON_NEW_CREDENTIALS flag”.
Detection logic
condition: selection
selection:
AuthenticationPackageName: Negotiate
EventID: 4624
ImpersonationLevel: '%%1833'
LogonProcessName: Advapi
LogonType: 9