EXPLORE
Sign In
← Back to Explore
T1134.002

Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs) Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to b...

Windows
13
Detections
3
Sources
2
Threat Actors

BY SOURCE

6elastic6sigma1splunk_escu

PROCEDURES (7)

Impersonat3 detections

Auto-extracted: 3 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Credential2 detections

Auto-extracted: 2 detections for credential

Service2 detections

Auto-extracted: 2 detections for service

Child Process2 detections

Auto-extracted: 2 detections for child process

Credential1 detections

Auto-extracted: 1 detections for credential

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

THREAT ACTORS (2)

Lazarus GroupTurla

DETECTIONS (13)

Interactive Logon by an Unusual Process
elastichigh
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
sigmahigh
Meterpreter or Cobalt Strike Getsystem Service Installation - System
sigmahigh
Potential Meterpreter/CobaltStrike Activity
sigmahigh
PowerShell Script with Token Impersonation Capabilities
elasticmedium
Privileges Elevation via Parent Process PID Spoofing
elastichigh
Process Created with a Duplicated Token
elasticmedium
Process Created with an Elevated Token
elastichigh
Process Creation via Secondary Logon
elasticmedium
PUA - AdvancedRun Execution
sigmamedium
PUA - AdvancedRun Suspicious Execution
sigmahigh
Suspicious Child Process Created as System
sigmahigh
Windows Access Token Manipulation SeDebugPrivilege
splunk_escu