Device Process Modified Primary Token

//Find when a process modifies the primary access token and parse the relevant details such as any privilege attached to the token, whether it is system level and the token integrity level //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceEvents | where TimeGenerated > ago(30m) | project DeviceName, ActionType, AdditionalFields, TimeGenerated, InitiatingProcessParentFileName, InitiatingProcessCommandLine | where ActionType == "ProcessPrimaryTokenModified" | extend TokenModificationProperties = AdditionalFields.TokenModificationProperties | where isnotempty(TokenModificationProperties) | parse TokenModificationProperties with * 'tokenChangeDescription":"' ['Token Change Description'] '","privilegesFlags":' ['Token Privileges'] ',"isChangedToSystemToken":' ['is Changed to System Token'] ',"originalTokenIntegrityLevelName":"' ['Original Token Level'] '","currentTokenIntegrityLevelName":"' ['Current Token Level'] '"' * | project TimeGenerated, DeviceName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, ['Original Token Level'], ['Current Token Level'], ['Token Privileges'], ['is Changed to System Token'], ['Token Change Description'] //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceEvents | where Timestamp > ago(30m) | project DeviceName, ActionType, AdditionalFields, Timestamp, InitiatingProcessParentFileName, InitiatingProcessCommandLine | where ActionType == "ProcessPrimaryTokenModified" | extend AF = parse_json(AdditionalFields) | extend OriginalTokenLevel = AF.OriginalTokenIntegrityLevel | extend OriginalTokenPriv = AF.OriginalTokenPrivEnabled | extend CurrentTokenLevel = AF.CurrentTokenIntegrityLevel | extend CurrentTokenPriv = AF.CurrentTokenPrivEnabled | extend TokenModification = AF.TokenModificationProperties

Explanation

This query is used to find instances when a process modifies the primary access token and extract relevant details such as privileges attached to the token, whether it is a system-level token, and the token integrity level. The query can be executed in Microsoft Sentinel or Advanced Hunting, depending on the data connector used. It retrieves information from the DeviceEvents table, filtering for events where the ActionType is "ProcessPrimaryTokenModified". The query then parses the AdditionalFields or AdditionalFields.TokenModificationProperties to extract the desired information such as token change description, token privileges, system token status, original token integrity level, and current token integrity level. The results are then projected with specific columns for analysis.

Details

Matt Zorich

Released: June 17, 2022

Tables

DeviceEvents

Keywords

DeviceEvents,TimeGenerated,DeviceName,ActionType,AdditionalFields,InitiatingProcessParentFileName,InitiatingProcessCommandLine,TokenModificationProperties,TokenChangeDescription,TokenPrivileges,isChangedtoSystemToken,OriginalTokenLevel,CurrentTokenLevel

Operators

whereprojectisnotemptyparseextendwithprojectTimestampparse_jsonextend

KQL Search