CrowdStrike Alert Details
Alert ID: CS-TOKEN-MANIP-1134-7842
Alert Time: 2024-02-17 09:30:22 EST
Severity: CRITICAL (92/100)
Source: CrowdStrike Falcon EDR
Rule: “Access Token Manipulation – Privilege Escalation”
MITRE ATT&CK: T1134.001 – Access Token Manipulation: Token Impersonation/Theft
Alert Details:
Detection: Process attempted to duplicate token of SYSTEM process for privilege escalation
Host: IT-WS-078 (IT Department)
User: bjones (Brian Jones – Standard User)
Time: 09:25 EST
Process Tree:
– explorer.exe (PID: 3421 – user context)
– powershell.exe (PID: 4789 – user context)
– whoami.exe (PID: 4792 – checking current user)
– token_dup.exe (PID: 4795 – custom tool)
– Attempted OpenProcess on winlogon.exe (PID: 568 – SYSTEM)
– Attempted DuplicateTokenEx (successful)
– Created new process with SYSTEM token: cmd.exe (PID: 4823)
Token Manipulation Details:
– Target Process: winlogon.exe (running as SYSTEM)
– API Calls:
– OpenProcess (PROCESS_QUERY_INFORMATION) – Success
– OpenProcessToken – Success
– DuplicateTokenEx – Success (created impersonation token)
– CreateProcessWithTokenW – Success (launched cmd.exe as SYSTEM)
Resulting Process:
– Process: cmd.exe (PID: 4823)
– Token User: NT AUTHORITY\SYSTEM
– Command: whoami (confirmed SYSTEM)
– Network: No immediate connections
Detection Logic:
– Standard user (bjones) should not be able to impersonate SYSTEM
– Token duplication from winlogon.exe is highly anomalous
– Custom tool token_dup.exe not seen in environment before
– Pattern matches known privilege escalation techniques (Potato family)
Additional Context:
– User bjones is IT helpdesk (standard user, not admin)
– No approved privilege escalation tools
– Tool downloaded from suspicious URL earlier
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed token duplication from winlogon.exe
2. Process Analysis
Analyze token_dup.exe
CrowdStrike Sandbox
Tool is “JuicyPotatoNG” – privilege escalation exploit
3. Immediate Action
Terminate SYSTEM cmd.exe
CrowdStrike
SYSTEM shell terminated
4. Tool Removal
Delete token_dup.exe
CrowdStrike Live Response
Malicious tool deleted
5. User Interview
Contact user
Teams, Phone
User downloaded “helpdesk tool” from forum
6. Host Remediation
Full scan and hardening
CrowdStrike, Nessus
No other malware; applied additional patches
Jira Incident Report
Ticket: SOC-2024-086
Summary: T1134 – Token Manipulation Privilege Escalation via JuicyPotato
Status: RESOLVED
Resolution: MALICIOUS – Privilege Escalation Attempt Blocked
Priority: P1 – CRITICAL
Labels: T1134, token-manipulation, privilege-escalation, juicy-potato, crowdstrike
Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Access Token Manipulation – Privilege Escalation”.
Host: IT-WS-078 (IT Department, user bjones).
Time: 2024-02-17 09:30 EST.
Technique: MITRE ATT&CK T1134.001 – Access Token Manipulation: Token Impersonation/Theft.
2. Technical Analysis:
Attack Chain:
09:15 – User downloads “Helpdesk Tool Suite” from forum
09:16 – Extracts token_dup.exe and runs it
09:18 – Tool checks current user (whoami – standard user)
09:20 – Tool enumerates processes, finds winlogon.exe (SYSTEM)
09:22 – Opens winlogon.exe with PROCESS_QUERY_INFORMATION
09:23 – Duplicates token successfully
09:24 – Launches cmd.exe with duplicated SYSTEM token
09:25 – CrowdStrike detects token manipulation
Token Manipulation Technique:
Tool: JuicyPotatoNG (modified version)
Target: winlogon.exe (SYSTEM process)
Method: SeImpersonatePrivilege abuse (user had this privilege)
Result: SYSTEM shell achieved
SYSTEM Shell Activity:
cmd.exe running as SYSTEM (PID: 4823)
User ran: whoami (confirmed SYSTEM)
No additional commands before termination
No network connections from SYSTEM shell
User Activity:
User is helpdesk employee, needed admin access for work
Downloaded tool to “make my job easier”
Unaware of security implications
3. Investigation Findings:
Timeline:
09:15 – Tool downloaded
09:24 – SYSTEM shell created
09:25 – Alert triggers
09:26 – SOC investigates
09:27 – SYSTEM shell terminated
09:28 – Tool deleted
Indicators of Compromise (IoCs):
Files:
– token_dup.exe (JuicyPotatoNG) – SHA256: a1b2c3d4…
– Helpdesk Tool Suite.zip – SHA256: b2c3d4e5…
Processes:
– token_dup.exe
– cmd.exe (SYSTEM context)
Network:
– Download from forum (URL blocked)
4. Containment Actions:
Immediate Actions:
Terminated SYSTEM shell (cmd.exe).
Deleted token_dup.exe.
Deleted downloaded archive.
Isolated host temporarily.
Host Remediation:
Full scan (no other malware).
Verified SeImpersonatePrivilege was legitimate (helpdesk role).
No reimage needed.
User Remediation:
User counseled on security policy.
Escalated to manager for disciplinary review.
Required to complete security training.
5. Root Cause Analysis:
Primary Cause: User downloaded and ran unauthorized privilege escalation tool.
Contributing Factors:
User had SeImpersonatePrivilege (needed for helpdesk role).
No application control blocking unauthorized tools.
User attempted to bypass least privilege for convenience.
6. Business Impact:
Operational Impact: IT workstation offline for 2 hours.
Security Impact: SYSTEM access achieved for 1 minute.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious tool removed.
SYSTEM shell terminated.
User disciplined.
Technical Controls Enhanced:
Implemented application control (CrowdStrike Falcon Prevent).
Created alert for token duplication attempts.
Reviewed helpdesk privileges (minimal necessary).
8. Conclusion:
A helpdesk user downloaded a privilege escalation tool and successfully gained SYSTEM access via token manipulation. CrowdStrike detected the anomalous token duplication within seconds, enabling rapid termination of the SYSTEM shell. No further compromise occurred.
Closure Rationale: Tool removed; user disciplined; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 10:30 EST