Environment
- Carbon Black Cloud Windows Sensor: 3.8.x and Higher
- Microsoft Windows: All supported versions
Symptoms
- Getting an increasing amount of alerts similar to:
The application excel.exe has impersonated a non-system user.
- Reason code for alert: "T_IMPERSONATE_USER"
Cause
- These alerts are mainly due to the TTP associated with these actions
- TTPs: impersonate_user, code_drop, mitre_t1134_access_token_manip
- The alerts are generated when the user that is associated with an application or process changes during the course of execution to something other than NT AUTHORITY\SYSTEM, the system tracks the username of system/root to another user
Resolution
- Avoid these results with running the application with the System/Root user (NT AUTHORITY\SYSTEM).
- If these are believed to be false positives in the environment, they could be dismissed using the following method here.
Related Content