ATT&CK® Detecting Access Token Manipulation

A New Advanced Offering

This course uses the lessons and tactics taught in the MAD20™ ATT&CK Threat Hunting Course and applies it to detecting T1134.001: Token Impersonation and Theft. Students will walk through the steps of the TTP Threat Hunting Methodology and apply it for specific technique detection engineering. They will understand what access tokens are, how they can be manipulated through token impersonation and theft and implement research to emulate behaviors. By emulating and testing procedures identified through research, students will be able to analyze and identify low variance behaviors to build and implement analytics into their analytical environment.

Target Audience

This course is meant for cybersecurity practitioners who are responsible for detecting and investigating malicious cyber activity.

Course Prerequisites

MAD20™ ATT&CK Fundamentals Training MAD20™ Threat Hunting Training Knowledge in Windows Sysinternals Suite (Procmon, Sysmon, Windbg, Windows Events) Proficiency in system log configuration Proficiency in an analytic platform.

Course Goals

  • Be able to take data sources and implementation methods found in research stage to build tests which implement the Token Impersonation and Theft behavior
  • Understand what access tokens are, how they are used in a Windows System, and how they can be manipulated for token impersonation and theft
  • Utilize lessons learned in the MAD Threat Hunting Course, including research, development of testing, and analytics implementation, to apply to detection engineering for T1134.001: Token Impersonation and Theft
  • Implement analytics based on analyzing low variance behavior found during testing
  • Be able to take research and results throughout this course and apply to learner’s own analytic platform and organizational purposes
  • Utilize the Windows SysInternals Suite to detect and analyze results from Token Impersonation and Theft testing