Suspicious token impersonation event found

works2020
works2020
edited February 2022 in Protection - Malware/ Firmware/etc.

I ran a search for "Malware Detection / Processes whose names are confusingly similar to those of critical systems processes are likley to be malicious (process.path:svchost.exe~1)" and get the following message, which is concerning to say the least. When I run a virus scan this doesn't show up. What should I make of this?

General

  • mitre_tactics: N/A
  • mitre_techniques: N/A

Details

  • process_integrity_level:
  • system
  • parent_process_integrity_level:
  • system
  • process_access_privileges:
  • elevated
  • parent_process_access_privileges:
  • elevated
  • command_line:
  • C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
  • process_path:
  • c:\windows\system32\svchost.exe
  • pid:
  • 16824
  • user:
  • NT AUTHORITY\SYSTEM
  • parent_process_pid:
  • 996
  • parent_process_path:
  • c:\windows\system32\services.exe
  • parent_process_user:
  • NT AUTHORITY\SYSTEM
  • file_md5:
  • f586835082f632dc8d9404d83bc16316
  • file_sha256:
  • 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
  • hostname:
  • computername.domain.local
  • event_name:
  • suspicioustokenimpersonation
  • other.os:
  • windows
  • other.user:
  • NT AUTHORITY\SYSTEM
  • other.event_type:
  • alert
  • other.detection_class:
  • edr_detection


Tagged:

Answers

  • Alexandru_BD
    Alexandru_BD admin

    Hello @works2020

    Based on your description of the situation encountered, I would recommend contacting the Technical Support Teams, as more information might be required to troubleshoot this. The engineers will request a bdsys log from you for further investigation.

    You can get in touch with our engineers by choosing one of the contact methods available here:

    https://www.bitdefender.com/consumer/support/

    Stay safe.

  • works2020
    works2020

    Thanks for the info, I have a case opened.

    What are your thoughts on this article, https://www.socinvestigation.com/account-manipulation-and-access-token-theft-attacks/

    I'm seeing this error pop up on other clients and I don't have any reason to believe they're under attack. Not confident it's not a false positive either.

  • works2020
    works2020

    I got in touch with support and they asked me to send logs from their BDSYS application. After doing so haven't heard back from anyone. Wait times on the phone are well over an hour. Any ideas?

  • Alexandru_BD
    Alexandru_BD admin

    Hello,

    The engineers will get back to you once the analysis is complete. The usual response timeframe varies depending on the incoming rate, but usually it does not exceed 24 hours. During peak intervals, delays may occur.

    Best regards.

All Time Leaders

Categories

Defenders of the month