The hypothesis is that an adversary may be attempting to manipulate system tokens to escalate privileges or maintain persistence within the environment. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation or persistence mechanisms that could lead to more severe compromises.
YARA Rule
rule win_token {
meta:
author = "x0r"
description = "Affect system token"
version = "0.1"
strings:
$f1 = "advapi32.dll" nocase
$c1 = "DuplicateTokenEx"
$c2 = "AdjustTokenPrivileges"
$c3 = "OpenProcessToken"
$c4 = "LookupPrivilegeValueA"
condition:
$f1 and 1 of ($c*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System token is used during a legitimate system update via Windows Update
Filter/Exclusion: Check for process name wuauclt.exe or svchost.exe with Windows Update service context
Scenario: Token manipulation occurs during Microsoft Intune enrollment or device management tasks
Filter/Exclusion: Filter by process MicrosoftIntuneManagementExtension.exe or intunewsm.exe
Scenario: Token is accessed during a scheduled backup job using Veeam Backup & Replication
Filter/Exclusion: Include process veeambackup.exe or check for backup job names in the task scheduler
Scenario: Token is used during Active Directory domain join or Group Policy processing
Filter/Exclusion: Filter by process dsmig.exe, gupdate32.exe, or lsass.exe with domain join context
Scenario: Token is accessed during Windows Defender Antivirus scan or Microsoft Defender ATP operations
Filter/Exclusion: Include process MsMpEng.exe or check for Windows Defender service context