Esc
Create Process with Token - T1134.002

(ATT&CK® Technique)
Definition

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1134002["Create Process with Token"] --> |copies| AccessToken["Access Token"]; class T1134002 OffensiveTechniqueNode;
        class AccessToken ArtifactNode; click AccessToken href "/dao/artifact/d3f:AccessToken";
        click T1134002 href "/offensive-technique/attack/T1134.002/"; click AccessToken href "/dao/artifact/d3f:AccessToken"; T1134002["Create Process with Token"] --> |may-modify| EventLog["Event Log"]; class T1134002 OffensiveTechniqueNode;
        class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog";
        click T1134002 href "/offensive-technique/attack/T1134.002/"; click EventLog href "/dao/artifact/d3f:EventLog";                          DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | AccessToken["Access Token"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1134002["Create Process with Token"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | AccessToken["Access Token"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1134002["Create Process with Token"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis";                           CredentialRevocation["Credential Revocation"] -->
          | deletes | AccessToken["Access Token"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1134002["Create Process with Token"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; ReissueCredential["Reissue Credential"] -->
          | restores | AccessToken["Access Token"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1134002["Create Process with Token"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialRotation["Credential Rotation"] -->
          | regenerates | AccessToken["Access Token"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1134002["Create Process with Token"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation";                AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | AccessToken["Access Token"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1134002["Create Process with Token"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation";   TokenBinding["Token Binding"] -->
          | strengthens | AccessToken["Access Token"];

          TokenBinding["Token Binding"] -.->
            | may-harden | T1134002["Create Process with Token"] ;
          class TokenBinding DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click TokenBinding href "/technique/d3f:TokenBinding";                                   Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | AccessToken["Access Token"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1134002["Create Process with Token"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
          | uses | AccessToken["Access Token"];

          Token-basedAuthentication["Token-based Authentication"] -.->
            | may-harden | T1134002["Create Process with Token"] ;
          class Token-basedAuthentication DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication";                           CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | AccessToken["Access Token"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1134002["Create Process with Token"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialHardening["Credential Hardening"] -->
          | hardens | AccessToken["Access Token"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1134002["Create Process with Token"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class AccessToken ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";
json