Suspicious token impersonation event found

I ran a search for "Malware Detection / Processes whose names are confusingly similar to those of critical systems processes are likley to be malicious (process.path:svchost.exe~1)" and get the following message, which is concerning to say the least. When I run a virus scan this doesn't show up. What should I make of this?

General

  • mitre_tactics: N/A
  • mitre_techniques: N/A

Details

  • process_integrity_level:
  • system
  • parent_process_integrity_level:
  • system
  • process_access_privileges:
  • elevated
  • parent_process_access_privileges:
  • elevated
  • command_line:
  • C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
  • process_path:
  • c:\windows\system32\svchost.exe
  • pid:
  • 16824
  • user:
  • NT AUTHORITY\SYSTEM
  • parent_process_pid:
  • 996
  • parent_process_path:
  • c:\windows\system32\services.exe
  • parent_process_user:
  • NT AUTHORITY\SYSTEM
  • file_md5:
  • f586835082f632dc8d9404d83bc16316
  • file_sha256:
  • 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
  • hostname:
  • computername.domain.local
  • event_name:
  • suspicioustokenimpersonation
  • other.os:
  • windows
  • other.user:
  • NT AUTHORITY\SYSTEM
  • other.event_type:
  • alert
  • other.detection_class:
  • edr_detection


Answers

  • Hello @works2020

    Based on your description of the situation encountered, I would recommend contacting the Technical Support Teams, as more information might be required to troubleshoot this. The engineers will request a bdsys log from you for further investigation.

    You can get in touch with our engineers by choosing one of the contact methods available here:

    https://www.bitdefender.com/consumer/support/

    Stay safe.

    Premium Security & Bitdefender Endpoint Security Tools user

  • Thanks for the info, I have a case opened.

    What are your thoughts on this article, https://www.socinvestigation.com/account-manipulation-and-access-token-theft-attacks/

    I'm seeing this error pop up on other clients and I don't have any reason to believe they're under attack. Not confident it's not a false positive either.

  • I got in touch with support and they asked me to send logs from their BDSYS application. After doing so haven't heard back from anyone. Wait times on the phone are well over an hour. Any ideas?

  • Hello,

    The engineers will get back to you once the analysis is complete. The usual response timeframe varies depending on the incoming rate, but usually it does not exceed 24 hours. During peak intervals, delays may occur.

    Best regards.

    Premium Security & Bitdefender Endpoint Security Tools user