T1134.002 Create Process with Token Mappings

Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with <code>DuplicateToken(Ex)</code> and use it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1134.002 Create Process with Token
AC-3 Access Enforcement Protects T1134.002 Create Process with Token
AC-5 Separation of Duties Protects T1134.002 Create Process with Token
AC-6 Least Privilege Protects T1134.002 Create Process with Token
CM-5 Access Restrictions for Change Protects T1134.002 Create Process with Token
CM-6 Configuration Settings Protects T1134.002 Create Process with Token
IA-2 Identification and Authentication (organizational Users) Protects T1134.002 Create Process with Token
azure_sentinel Azure Sentinel technique_scores T1134.002 Create Process with Token