Technique on mitre.org

T1134.002: Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via Token Impersonation/Theft or created via Make and Impersonate Token before being used to create a process.

While this technique is distinct from Token Impersonation/Theft, the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_privilege_escalation: PT-CR-592: RunAs_Subrule_Login: A user is authenticated as another user mitre_attck_privilege_escalation: PT-CR-468: RunAs_Context_Menu_Subrule_Execute: A process was started using the "Run as different user" context menu in Windows OS mitre_attck_privilege_escalation: PT-CR-853: RoguePotato_PrivEsc: Privileges are escalated using the RoguePotato technique mitre_attck_privilege_escalation: PT-CR-462: RunAs_Context_Menu: A user started a process as another user mitre_attck_privilege_escalation: PT-CR-846: JuicyPotato_PrivEsc: Detects privilege escalation to the System user using the JuicyPotato or JuicyPotatoNG technique. After this, the attacker can extract from the compromised node credentials for various services of local users, and in some cases, other users who accessed this node. Using this data will allow the attacker to move horizontally (Lateral Movement) to other infrastructure nodes. mitre_attck_privilege_escalation: PT-CR-464: RunAs_System_Or_External_Tools: A user started the process as another user or with an account for making outgoing connections mitre_attck_cred_access: PT-CR-2496: LetMeowIn_LSASS_Dump: Possible use of the LetMeowIn utility to save the lsass.exe memory to extract passwords or NTLM hashes. The utility creates a copy of lsass.exe by duplicating its handle. mitre_attck_cred_access: PT-CR-2494: Subrule_LetMeowIn_LSASS_Dump: Obtaining access to an lsass.exe copy created by duplicating an existing lsass.exe handle. This may indicate an attempt to save the memory of the created copy to a separate file.

Detection

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as `CreateProcessWithTokenW` and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.

ID	Data source and component	Description
DS0009	Process: OS API Execution	Monitor for API calls associated with detecting token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior. Analysts can also monitor for use of Windows APIs such as `CreateProcessWithTokenW` and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
DS0017	Command: Command Execution	Monitor executed commands and arguments to detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.

Mitigation

ID	M1026	Name	Privileged Account Management	Description	Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas`.

ID	M1018	Name	User Account Management	Description	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.

ID	Name	Description
M1026	Privileged Account Management	Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas`.
M1018	User Account Management	An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.