HackTool - Impersonate Execution

Severity: medium
Author: Sai Prashanth Pulisetti @pulisettis
Source: upstream

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134.001` Access Token Manipulation: Token Impersonation/Theft, `T1134.003` Access Token Manipulation: Make and Impersonate Token
Defense Evasion	`T1134.001` Access Token Manipulation: Token Impersonation/Theft, `T1134.003` Access Token Manipulation: Make and Impersonate Token

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_commandline_exe`

CommandLine|contains: impersonate.exe

Stage 2: `all of selection_commandline_opt`

or:
CommandLine|contains: ' adduser '
CommandLine|contains: ' exec '
CommandLine|contains: ' list '

Stage 3: `selection_hash`

or:
Hashes|contains: 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
Hashes|contains: 'MD5=9520714AB576B0ED01D1513691377D01'
Hashes|contains: 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`adduser` `exec` corpus 2 (sigma 2) `list` corpus 2 (sigma 2) `impersonate.exe`
`Hashes`	match	`IMPHASH=0A358FFC1697B7A07D0E817AC740DF62` `MD5=9520714AB576B0ED01D1513691377D01` `SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A`