IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.5] Detections and alerts Prebuilt rule reference
« PowerShell Script Block Logging Disabled PowerShell Share Enumeration Script »

PowerShell Script with Token Impersonation Capabilitiesedit

Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user’s token to escalate privileges and bypass access controls.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit












Rule queryedit








event.category:process and powershell.file.script_block_text:(
"Invoke-TokenManipulation" or "ImpersonateNamedPipeClient" or
"NtImpersonateThread" or ( "STARTUPINFOEX" and
"UpdateProcThreadAttribute" ) or (
"AdjustTokenPrivileges" and "SeDebugPrivilege" ) or (
("DuplicateToken" or "DuplicateTokenEx") and
("SetThreadToken" or "ImpersonateLoggedOnUser" or
"CreateProcessWithTokenW" or "CreatePRocessAsUserW" or
"CreateProcessAsUserA") ) )











Threat mappingedit




Framework: MITRE ATT&CKTM














« PowerShell Script Block Logging Disabled


PowerShell Share Enumeration Script »