rule:
meta:
name: impersonate user
namespace: host-interaction/user
authors:
- michael.hunhoff@mandiant.com
scopes:
static: function
dynamic: thread
att&ck:
- Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001]
features:
- or:
- api: advapi32.LogonUser
- and:
- api: userenv.LoadUserProfile
- optional:
- api: advapi32.GetUserName
- api: advapi32.GetUserNameEx
last edited: 2023-11-24 10:34:28