host-interaction/user

impersonate user

rule:
  meta:
    name: impersonate user
    namespace: host-interaction/user
    authors:
      - michael.hunhoff@mandiant.com
      - 99.elad.levi@gmail.com
    scopes:
      static: function
      dynamic: span of calls
    att&ck:
      - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001]
  features:
    - or:
      - api: advapi32.LogonUser
      - and:
        - api: userenv.LoadUserProfile
        - optional:
          - api: advapi32.GetUserName
          - api: advapi32.GetUserNameEx
      - and:
        - api: advapi32.OpenProcessToken
        - or:
          - api: advapi32.DuplicateToken
          - api: advapi32.DuplicateTokenEx
        - api: advapi32.CreateProcessWithToken
        - optional:
          - match: acquire debug privileges
          - match: enumerate processes

last edited: 2025-03-10 20:19:23