1. Home
  2. ATT&CK Techniques
  3. T1134.002 Create Process with Token

T1134.002 Create Process with Token Mappings

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via Token Impersonation/Theft or created via Make and Impersonate Token before being used to create a process.

While this technique is distinct from Token Impersonation/Theft, the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1134.002 Create Process with Token
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of "Create Process with Token" exploits. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. "Create Process with Token" exploits involve adversaries using the Windows API to create a process under the security context of another user, often leveraging stolen credentials or escalated privileges to execute malicious code. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of abnormal behaviors that could indicate misuse of the “Create Process” API for unauthorized actions. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster, more efficient detection of malicious activity without degrading system performance. CAMS helps identify suspicious behaviors, such as the creation of unauthorized processes or attempts to misuse the “Create Process” function to bypass security controls and execute malicious code.
References
  1. https://attack.mitre.org/techniques/T1204/002/
  2. https://www.crowdstrike.com/en-us/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
  3. https://www.intel.com/content/www/us/en/it-management/intel-it-best-practices/advancing-intels-security-posture-with-crowdstrike.html
  4. https://www.intel.com/content/dam/www/central-libraries/us/en/documents/2022-09/intel-crowdstrike-solution-brief.pdf