Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)
Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as Token Impersonation/Theft or Make and Impersonate Token).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1134.002 | Create Process with Token | |
| AC-3 | Access Enforcement | Protects | T1134.002 | Create Process with Token | |
| AC-5 | Separation of Duties | Protects | T1134.002 | Create Process with Token | |
| AC-6 | Least Privilege | Protects | T1134.002 | Create Process with Token | |
| CM-5 | Access Restrictions for Change | Protects | T1134.002 | Create Process with Token | |
| CM-6 | Configuration Settings | Protects | T1134.002 | Create Process with Token | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1134.002 | Create Process with Token |