Bengaluru, Karnataka, INDIA 560042
+91-9784367546, +91-8839669785
support@cyberwarfare.live

Access Token Manipulation Detection: Behavioral Analytics

A Real World Adversary Labs

Access Token Manipulation Detection: Behavioral Analytics

Overview

Access tokens are used in windows for security purpose. All the processes in windows are started by some user and the system knows the rights and privileges that the user has. The system uses access tokens to determine the owners and their privileges of all running processes.

These access tokens can be easily manipulated for the purpose of privileges escalation. The intent of access token manipulation is to grant a malicious process the same permissions as a legitimate user and to pretend to be a process started by that user. This can be very dangerous for a system if a malicious process gets some higher privileges. The manipulated access token can increase the capabilities of the malicious process and make it difficult for any user to detect it. Access token manipulation is added in the MITRE ATT&CK matrix under privilege escalation and this matrix also suggests some detection techniques. The following article will explain one of the detection techniques i.e. Behavioral Analytics.

Introduction

Behavioural Analytics is one of the detection techniques for access token manipulation. Behavioural Analytics means examining the behaviour of the system. This technique includes the deployment of various tools which will detect the unusual system or user behaviour. There are various processes and activity running on the window system. These processes need to be analyzed properly. There are various instruments available that can be used in a system for getting detailed information about the running processes and user activity. These tools can be implemented in such a way that they can sense the normal and expected behaviour of the system and alert the user if an abnormal or unexpected activity occurs. This can be done either by implementing the tools on the target system or by shipping data to a centralized analysis and alerting system.

The following figures shows the use of access tokens. Figure 1 shows the lower user privileges. When a user runs an application than it starts with the lower possible privileges. Access token is assigned to the user to run that application. In figure 1 I opened command prompt with normal user privileges.

Figure 1: Lower privileges

Figure 2 shows the higher user privileges. In figure 2 I opened command prompt with administrator rights. New access token is assigned to the admin and more access rights are given to the user.

Figure 2: Higher privileges

Behavioural Analytics technique gives us the opportunity of detecting the adversary by identifying and alerting any anomalous behaviors. Access token manipulation involves the use of various windows function by the adversary. So, the monitoring of these functions will help the defender to detect this attack vector. Access tokens can be leveraged by adversaries through three methods. The actions that should be monitored to detect the attack are:

• LogonUser(API call)- This function call is used by the system to create the logon session for a user if he/she enters the username and password. If an adversary knows the username and password so he/she can use the LogonUser function to create a session for himself.
• DuplicateTokenEx(API call)- Adversary can use the function DuplicateTokenEx to create a new token by duplicating the existing token. The token can then be used with ImpersonateLoggedOnUser function to allow the calling thread to impersonate a logged-on user’s security context, or with SetThreatTokento assign the impersonated token a thread.
• ImpersonateLoggedOnUser(API call)- This function is used to allow the user to impersonate a logged-on user’s security context.
• Runas(Command-line instruction)- ‘runas’ command is used to run the command prompt using another account with extremely limited privileges (lowuser). This command does not require elevated privileges, and any account can use it if they know the target account’s password. So, the commands fired using runas should be monitored.

Syntax:

 runas [{/profile | /noprofile}] [/env] [{/netonly | /savecred}] [/smartcard] [/showtrustlevels] [/trustlevel] /user: " "

The API calls and command that are discussed above are used by the windows for performing legitimate actions. But these functions can be used by an adversary for their own use.

Use Cases
There are various use cases of Behavioral analytics through which a defender can detect the anomalous behavior of the system and prevent the system from being attacked. These use cases are listed in MITRE framework and each use case is given a unique ID for identification.


Use Case (DUC0129): Each and every process in the system uses some resources for its execution. Tools can be installed in the system for looking at the anomalies in the system resources consumption. Defender can detect the suspicious activity if the system resources are used at odd times or at odd levels. Sysinternals suite is provided by Microsoft for windows which can be used for analyzing the processes running and monitoring the resources used and various other functionality which is provided by this suite. The following screenshot shows the interface of the Process Explorer tool present in sysinternal suite which is very useful that can be used to explore each and every process running presently.

Use Case (DUC0130): Defender can look at the anomalies in the system services states and can detect the potentially malicious activity and triage the system to re-enable the services that have been stopped.
Use Case (DUC0131): In this use case, the Behavioral analytics technique can be used by the defender to detect abnormal behaviour of XSL process.
Use Case (DUC0136): User uses various other systems in daily routine like Virtual machine, External storage device, domain information, etc. A defender can use behavioural analytics to analyze the behaviour of such systems.
Use Case (DUC0149): A defender could use implement behavioural analytics that detects common access token manipulation techniques and allow or deny these actions.
Use Case (DUC0166): Any process needs various modules to be loaded for its execution, and different files/folders have some read/write permissions and a system connects to the network. A defender should monitor the anomalous behavior of such client applications.

Use Case (DUC0168): A defender can monitor user interactions with images and containers to identify ones that are added or altered anomalously.
Use Case (DUC0212): An adversary can attack the system by making a connection with the system. A defender can detect the use of non-standard protocols. By implementing the technique of behaviour analytics defender should be able to detect the rise in protocol traffic to a system or set of systems and detect malicious communications.

Use Case (DUC0213): A defender can detect the use of external web services for communication relay. By implementing behavior analytics anomalies in what domains a system is communicating with, how frequently, and at what times, a defender can potentially identify malicious traffic.
Use Case (DUC0217): A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.
Use Case (DUC0218): A defender can implement behavioral analytics which would indicate activity on or against a domain controller. Activity which is out of sync with scheduled domain tasks, or results in an uptick in traffic with a particular system on the network could indicate malicious activity.
Use Case (DUC0220): A defender can look for known files in non-standard locations or files that are creating anomalous processes or connections.
Use Case (DUC0221): A defender can look for anomalies in how commands are being executed on a system. This can expose potentially malicious activity.
Use Case (DUC0237): A defender can detect adversaries leveraging unused cloud regions. By implementing behavioral analytics for cloud hosts interacting with the network from regions that are not normal, one can detect potential malicious activity.
Use Case (DUC0239): Defenders can detect adversaries attempting to exfiltrate to a cloud account. This can detect a system connecting to these cloud providers that it might not normally connect to, not using an account that it normally does, or during a time when it normally doesn’t do so.
Use Case (DUC0240): Defenders can detect adversaries attempting to open a port by analysing incoming network connections. By looking for anomalies in what network traffic comes in, as well as patterns that might indicate intentional sequences, one can potentially identify malicious traffic. One can also look at anomalies in services suddenly listening on ports that were not being used before.
Use Case (DUC0241): Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent. Authentication is giving rights to a process for performing some task.
Use Case (DUC0243): A defender can look for anomalies in accounts being active with other services/systems during hours they are normally not active. This can indicate malicious activity.
Use Case (DUC0244): Defenders can detect adversaries attempting to exfiltrate over web services by implementing behavioral analytics. This can detect a system connecting to these web services that it might not normally connect to, or during a time when it normally doesn’t do so.

Procedures
DPR0013: Living Off The Land Binaries (LOLBins) is one of the most creative and insidious malware threats today. Attackers use LOLBins to evade detection by manipulating legitimate systems and processes for malicious purposes. The defender should use behavioural analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. Malicious files are downloaded in the system to execute the suspicious activity.
DPR0014: System development tools are used by the developers for defining, designing, testing and implementing a software application. Only developers have the right to make changes to the system. So, the defender can use behavioural analytics to identify system running development tools but is not used by someone who does development.
DPR0015: Various processes are executing in the system. One process uses other process for completion of its execution. Different permissions are assigned to several processes for different users of the system. An attacker can escalate their privileges and execute malicious processes. The defender must use behavioural analytics to identify abnormal system processes being used to launch a different process.

Conclusion

Access tokens are used by windows for the security purpose. But they can be easily manipulated by an adversary for performing malicious activities in the system using some commands in windows or API calls. If this attack happens, this can be very dangerous for an organization of any size and an individual. So, the detection of such type of attack vector is very important. Behavioural Analytics can be very useful and easy to implement a method to detection and prevention of such attacks.

References

Active Defense Techniques: Behavioral Analytics (DTE0007)

Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *