Windows Access Token Manipulation Winlogon Duplicate Token Handle

Author: Teoderick Contreras, Splunk
Source: upstream

The following analytic detects a process attempting to access winlogon.exe to duplicate its handle. This is identified using Sysmon EventCode 10, focusing on processes targeting winlogon.exe with specific access rights. This activity is significant because it is a common technique used by adversaries to escalate privileges by leveraging the high privileges and security tokens associated with winlogon.exe. If confirmed malicious, this could allow an attacker to gain elevated privileges, potentially leading to full system compromise and unauthorized access to sensitive information.

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134.001` Access Token Manipulation: Token Impersonation/Theft
Defense Evasion	`T1134.001` Access Token Manipulation: Token Impersonation/Theft

Event coverage

Provider	Event ID	Title
Sysmon	10	ProcessAccess

Stages and Predicates

Stage 1: `search`

search EventCode=10 GrantedAccess=0x1040 TargetImage IN ("*\\SysWOW64\\winlogon.exe*", "*\\system32\\winlogon.exe*")

Stage 2: `stats`

stats BY CallTrace, EventID, GrantedAccess, Guid, Opcode, ProcessID, SecurityID, SourceImage, SourceProcessGUID, SourceProcessId, TargetImage, TargetProcessGUID, TargetProcessId, UserID, dest, granted_access, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`10` corpus 14 (splunk 14)
`GrantedAccess`	eq	`0x1040` corpus 2 (splunk 2)
`TargetImage`	in	`"\\SysWOW64\\winlogon.exe"` corpus 2 (splunk 2) `"\\system32\\winlogon.exe"` corpus 2 (splunk 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows Access Token Winlogon Duplicate Handle In Uncommon Path [splunk] (adds 1 filter) (first-stage match only; downstream stages may differ)