HackTool - Impersonate Execution

    Tuesday, November 26, 2024 In: Threat Research Print

    Date: 11/26/2024

    Severity: Medium

    Summary

    "HackTool - Impersonate Execution" refers to the detection of a tool used to manipulate security tokens on Windows computers. This tool allows for remote or interactive impersonation of users, typically through methods like PsExec or WmiExec. The tool is often leveraged by attackers to gain unauthorized access to systems or escalate privileges, enabling malicious activities. Detection of its execution is crucial for identifying potential security breaches and preventing further exploitation.

    Indicators of Compromise (IOC) List

    CommandLine

    impersonate.exe

    list

    exec

    adduser

    Hash

    9520714AB576B0ED01D1513691377D01

0A358FFC1697B7A07D0E817AC740DF62

E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename in ("Windows Security") AND eventtype = "4688" AND commandline like "impersonate.exe" AND (commandline like "list" OR commandline like "exec" OR commandline like "adduser") 

    Detection Query 2

    technologygroup = "EDR" AND commandline like "impersonate.exe" AND (commandline like "list" OR commandline like "exec" OR commandline like "adduser") 

    Detection Query 3

    md5hash IN ("9520714AB576B0ED01D1513691377D01","0A358FFC1697B7A07D0E817AC740DF62")

sha256hash IN ("E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A")

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml   


    Tags

    MalwareSigma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.