T1134.002 Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via Token Impersonation/Theft or created via Make and Impersonate Token before being used to create a process.

While this technique is distinct from Token Impersonation/Theft, the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.06 Production environment segregation Mitigates T1134.002 Create Process with Token
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
    PR.AA-05.02 Privileged system access Mitigates T1134.002 Create Process with Token
    Comments
    This diagnostic statement protects against Create Process with Token through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1134.002 Create Process with Token
      Comments
      This diagnostic statement protects against Create Process with Token through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.AA-05.01 Access privilege limitation Mitigates T1134.002 Create Process with Token
        Comments
        This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. An adversary must already have high-level, admin or root level access on a local system to make full use of these ATT&CK techniques. Restrict users and accounts to the least privileges they require can help mitigate these techniques.
        References
          PR.AA-01.02 Physical and logical access Mitigates T1134.002 Create Process with Token
          Comments
          This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1134.002 Create Process with Token
            Comments
            This diagnostic statement protects against Create Process with Token through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1134.002 Create Process with Token
              CM-05 Access Restrictions for Change mitigates T1134.002 Create Process with Token
              IA-02 Identification and Authentication (Organizational Users) mitigates T1134.002 Create Process with Token
              AC-02 Account Management mitigates T1134.002 Create Process with Token
              AC-03 Access Enforcement mitigates T1134.002 Create Process with Token
              AC-05 Separation of Duties mitigates T1134.002 Create Process with Token
              AC-06 Least Privilege mitigates T1134.002 Create Process with Token