Hunting for Privilege Escalation Done with Invoke-TokenManipulation
In this post I tried to hunt for invoke-tokenmanipulation (Powersploit module) privilege escalation Sysmon and enhanced Powershell logging artifcats.
We can see the tokens which are available
I want to escalate my privilege from local Administrator to Domain Administrator (qureshi/Administrator). We can see a primary token attached to process id 4996 below, which we will use to impersonate a newly created process.
The script iterates through all the running processes to enumerate the tokens attached to each process. This can be seen by the following EventIDs 10 “Process Accessed”, where source image is powershell.exe, target images are the currently running processes, Granted access is 0x1400 and CallTrace contains “kernelbase.dll+14497”.
I also observed the following PS logs EventIDs 4103 (CommandInvocation), where we can hunt for keywords like "hToken" AND "LogonType" AND "IsElevated" and where hostapplication field contains "powershell.exe".
I also observed in the EventID 4103 keywords like "Get-Process" and FilterScript values containing regex used in the script like "^csrss$" and "^system$" etc
Some other EventIDs 4103 shows the usage of "System.Reflection.AssemblyName" to reflectly inject the commands in powershell processes's memory:
Hunting for: "Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username <domain\user>" artifacts
Ok now I will look for artifacts in Sysmon and PS Logging, when I steal a token from the following process and use it to start another process with domain administrator privileges:
Again monitoring for Sysmon artifacts we can see the same iteration whereby multiple EventIDs 10 "Process Accessed" is seen whereby sourceimage contains "powershell.exe", grantedaccess is 0x1400 and calltrace contains "kernelbase.dll+14497", which is because enumeration is going on in the background.
We can see similar set of keywords in the PS logs for this scenario as well: