Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with <code>DuplicateToken(Ex)</code> and use it with <code>CreateProcessWithTokenW</code> to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1134.002 | Create Process with Token | |
| AC-3 | Access Enforcement | Protects | T1134.002 | Create Process with Token | |
| AC-5 | Separation of Duties | Protects | T1134.002 | Create Process with Token | |
| AC-6 | Least Privilege | Protects | T1134.002 | Create Process with Token | |
| CM-5 | Access Restrictions for Change | Protects | T1134.002 | Create Process with Token | |
| CM-6 | Configuration Settings | Protects | T1134.002 | Create Process with Token | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1134.002 | Create Process with Token |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1134.002 | Create Process with Token |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can be used to make tokens via Invoke-RunAs and add a SID-History to a user if on a domain controller, but does not address other procedures.
References
|