Detecting Token Impersonation – Security Spotlight

The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.

In this Security Spotlight, we’ll be talking about a common method attackers use to escalate to SYSTEM-level privileges and how to identify it (MITRE ATT&CK® Technique T1134.001).

What Is Token Impersonation?

Token Impersonation refers to impersonating a legitimate user’s access token to enable privilege escalation, mitigate access controls, and, in certain instances, evade privilege user monitoring. Typically, an access token contains the login session’s security credentials, as well as information describing the user’s identity, groups, and other permissions.

Attackers may resort to token impersonation when they have a specific existing process to which they intend to assign the duplicated token. For example, when the token being impersonated belongs to a user with advanced privileges, it could grant the attacker access to data and applications that would otherwise be secure.

Why You Need to Monitor for Token Impersonation

Mitigating token impersonation calls for organizations to adopt best practices regarding privileged accounts and user management. It is also possible to remove users’ and user groups’ ability to generate tokens by restricting permissions, effectively thwarting potential token impersonation attempts.

However, this method’s inherent challenge is educating and moving towards the principle of least privilege throughout all areas of enterprise IT. Regrettably, such limitations are sometimes seen as hindering business effectiveness, and thus, they are frequently circumvented in favor of enhancing business efficiency.

A recent example of this tactic is found in the SparrowDoor analysis conducted by the NCSC in February 2022. In this case, the malware uses the token associated with the explorer.exe process to impersonate the logged-on user before any C2 connection is established. This is believed to ensure that when the SparrowDoor malware attempts to communicate with a remote peer, it does so without a high-privilege account, allowing it to effectively hide from privileged account monitoring.

How Can LogRhythm Help You?

One test the Analytic Co-Pilot team carried out during threat emulation emphasized using a PowerShell script alongside Empire’s GetSystem module to escalate privileges. The script creates a named pipe and launches a service to write to it. Upon the service’s connection with the named pipe, the script impersonates its security context.

To detect this method of token impersonation, an AI Engine rule was devised. This rule relies on three connected log-observed rule blocks that trigger in sequence. When triggered, they indicate that the attacker has escalated privileges to SYSTEM level, which is of major concern to any mature security organization.

For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.

For other Security Spotlight episodes, you can access the full playlist here.