T1134.002

Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW, CreateProcessAsUser, and runas. Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. The token could be duplicated via Token Impersonation/Theft (T1134.001) or created via Make and Impersonate Token (T1134.003) before being used to create a new process. This technique has been observed in campaigns by Turla, Lazarus Group, KONNI, Azorult, Bankshot, REvil, WhisperGate, and Empire post-exploitation frameworks.

Microsoft Sentinel / Defender

kusto

let SuspiciousScriptParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Branch 1: Integrity level escalation — child runs High/System but parent is Medium/Low
    // and that parent is a scripting engine with no legitimate elevation path
    (ProcessIntegrityLevel in ("High", "System")
     and InitiatingProcessIntegrityLevel in ("Medium", "Low")
     and InitiatingProcessFileName in~ (SuspiciousScriptParents)
     and FileName !in~ ("consent.exe", "werfault.exe", "dllhost.exe"))
    or
    // Branch 2: Account context switch — process runs as a different named user than its parent
    // Excludes well-known service accounts which legitimately change user context
    (AccountName != InitiatingProcessAccountName
     and not (AccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
     and not (InitiatingProcessAccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
     and InitiatingProcessFileName in~ (SuspiciousScriptParents))
    or
    // Branch 3: runas.exe acting as parent — explicit token-based process creation
    // Excludes expected child processes of a normal runas UAC flow
    (InitiatingProcessFileName =~ "runas.exe"
     and FileName !in~ ("consent.exe", "werfault.exe"))
    or
    // Branch 4: AdvancedRun.exe — NirSoft utility weaponized by WhisperGate for TrustedInstaller-level execution
    (FileName =~ "AdvancedRun.exe"
     or InitiatingProcessFileName =~ "AdvancedRun.exe")
)
| extend
    IntegrityEscalation = (ProcessIntegrityLevel in ("High", "System")
        and InitiatingProcessIntegrityLevel in ("Medium", "Low")
        and InitiatingProcessFileName in~ (SuspiciousScriptParents)
        and FileName !in~ ("consent.exe", "werfault.exe", "dllhost.exe")),
    AccountContextSwitch = (AccountName != InitiatingProcessAccountName
        and not (AccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
        and not (InitiatingProcessAccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
        and InitiatingProcessFileName in~ (SuspiciousScriptParents)),
    RunasParent = (InitiatingProcessFileName =~ "runas.exe"
        and FileName !in~ ("consent.exe", "werfault.exe")),
    AdvancedRunTool = (FileName =~ "AdvancedRun.exe" or InitiatingProcessFileName =~ "AdvancedRun.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
         IntegrityEscalation, AccountContextSwitch, RunasParent, AdvancedRunTool
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Process: OS API Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software installation tools and MSI packages that legitimately spawn elevated child processes via runas.exe or UAC prompts during setup routines
System administration scripts that use runas to execute maintenance tasks under alternate credentials as part of a least-privilege administrative workflow
IT automation platforms (SCCM, Ansible WinRM, PDQ Deploy) that execute tasks as a service account distinct from the initiating agent process, producing account context switches
Security products and EDR agents that intentionally spawn sub-processes under SYSTEM context for real-time monitoring or remediation, creating integrity level differences
Developer workstations where engineers routinely use runas or IDE-triggered elevation to test code requiring elevated privilege in a controlled environment

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ImageLower=lower(Image)
| eval ParentImageLower=lower(ParentImage)
| eval IntegrityLevelLower=lower(IntegrityLevel)
| eval CommandLineLower=lower(CommandLine)
| eval ParentCommandLineLower=lower(ParentCommandLine)
| eval IntegrityEscalation=if(
    (IntegrityLevelLower="high" OR IntegrityLevelLower="system") AND
    match(ParentImageLower, "(\\\\cmd\\.exe|\\\\powershell\\.exe|\\\\pwsh\\.exe|\\\\wscript\\.exe|\\\\cscript\\.exe|\\\\mshta\\.exe|\\\\rundll32\\.exe|\\\\regsvr32\\.exe|\\\\wmic\\.exe)") AND
    NOT match(ImageLower, "(\\\\consent\\.exe|\\\\werfault\\.exe|\\\\dllhost\\.exe)"), 1, 0)
| eval RunasParent=if(
    match(ParentImageLower, "\\\\runas\\.exe") AND
    NOT match(ImageLower, "(\\\\consent\\.exe|\\\\werfault\\.exe)"), 1, 0)
| eval AdvancedRunTool=if(
    match(ImageLower, "\\\\advancedrun\\.exe") OR
    match(ParentImageLower, "\\\\advancedrun\\.exe"), 1, 0)
| eval TrustedInstallerAbuse=if(
    match(CommandLineLower, "trustedinstaller") OR
    match(ParentCommandLineLower, "trustedinstaller"), 1, 0)
| eval SuspicionScore=IntegrityEscalation + RunasParent + AdvancedRunTool + TrustedInstallerAbuse
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IntegrityLevel, IntegrityEscalation, RunasParent, AdvancedRunTool, TrustedInstallerAbuse, SuspicionScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installation tools and MSI packages that legitimately spawn elevated child processes via runas.exe or UAC prompts during setup routines
System administration scripts that use runas to execute maintenance tasks under alternate credentials as part of a least-privilege administrative workflow
IT automation platforms (SCCM, Ansible WinRM, PDQ Deploy) that execute tasks as a service account distinct from the initiating agent process
Security products and EDR agents that intentionally spawn sub-processes under SYSTEM context for real-time monitoring or remediation
Developer workstations where engineers routinely use runas or IDE-triggered elevation to test code requiring elevated privilege

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5s
  [process where event.type == "start" and
   (
     /* Branch 1: Integrity level escalation from scripting engine parent */
     (
       process.token.integrity_level_name in ("high", "system") and
       process.parent.token.integrity_level_name in ("medium", "low") and
       process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe") and
       process.name not in~ ("consent.exe", "werfault.exe", "dllhost.exe")
     ) or
     /* Branch 2: Account context switch from scripting engine */
     (
       process.user.name != process.parent.user.name and
       process.user.name not in~ ("system", "local service", "network service") and
       process.parent.user.name not in~ ("system", "local service", "network service") and
       process.parent.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe")
     ) or
     /* Branch 3: runas.exe as parent */
     (
       process.parent.name =~ "runas.exe" and
       process.name not in~ ("consent.exe", "werfault.exe")
     ) or
     /* Branch 4: AdvancedRun.exe - NirSoft tool abused for TrustedInstaller execution */
     (
       process.name =~ "AdvancedRun.exe" or
       process.parent.name =~ "AdvancedRun.exe"
     )
   )
  ]

high severity high confidence

Data Sources

Elastic Endpoint Windows Security Events Sysmon via Filebeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate administrative tools like SysInternals PsExec or similar elevation utilities used by IT staff can trigger integrity escalation branches when admins deliberately run processes under elevated contexts.
Software deployment tools (SCCM, Ansible, Chef) may legitimately spawn processes as different users from scripting engine parents during patch cycles or provisioning workflows.
Developer workstations running build pipelines or test harnesses that use runas.exe or token duplication internally to test multi-user scenarios or privilege-separated services.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "domain",
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command",
  "Parent Process Name",
  "Parent Command",
  CASE
    WHEN LOWER("Process Name") LIKE '%advancedrun.exe%' OR LOWER("Parent Process Name") LIKE '%advancedrun.exe%'
      THEN 'AdvancedRunTool'
    WHEN LOWER("Parent Process Name") LIKE '%runas.exe%'
      AND LOWER("Process Name") NOT LIKE '%consent.exe%'
      AND LOWER("Process Name") NOT LIKE '%werfault.exe%'
      THEN 'RunasParent'
    WHEN (
      LOWER("Parent Process Name") LIKE '%cmd.exe%' OR
      LOWER("Parent Process Name") LIKE '%powershell.exe%' OR
      LOWER("Parent Process Name") LIKE '%pwsh.exe%' OR
      LOWER("Parent Process Name") LIKE '%wscript.exe%' OR
      LOWER("Parent Process Name") LIKE '%cscript.exe%' OR
      LOWER("Parent Process Name") LIKE '%mshta.exe%' OR
      LOWER("Parent Process Name") LIKE '%rundll32.exe%' OR
      LOWER("Parent Process Name") LIKE '%regsvr32.exe%' OR
      LOWER("Parent Process Name") LIKE '%wmic.exe%'
    ) AND (
      LOWER("Command") LIKE '%trustedinstaller%' OR
      LOWER("Parent Command") LIKE '%trustedinstaller%'
    ) THEN 'TrustedInstallerAbuse'
    ELSE 'IntegrityEscalation'
  END AS detection_branch,
  sourceip
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    SELECT id FROM LOGSOURCETYPE WHERE name LIKE '%Windows%' OR name LIKE '%Sysmon%'
  )
  AND qid IN (
    SELECT id FROM QID WHERE name LIKE '%Process Create%' OR name LIKE '%4688%' OR name LIKE 'Sysmon%1%'
  )
  AND (
    LOWER("Process Name") LIKE '%advancedrun.exe%'
    OR LOWER("Parent Process Name") LIKE '%advancedrun.exe%'
    OR (
      LOWER("Parent Process Name") LIKE '%runas.exe%'
      AND LOWER("Process Name") NOT LIKE '%consent.exe%'
      AND LOWER("Process Name") NOT LIKE '%werfault.exe%'
    )
    OR (
      (
        LOWER("Parent Process Name") LIKE '%cmd.exe%' OR
        LOWER("Parent Process Name") LIKE '%powershell.exe%' OR
        LOWER("Parent Process Name") LIKE '%pwsh.exe%' OR
        LOWER("Parent Process Name") LIKE '%wscript.exe%' OR
        LOWER("Parent Process Name") LIKE '%cscript.exe%' OR
        LOWER("Parent Process Name") LIKE '%mshta.exe%' OR
        LOWER("Parent Process Name") LIKE '%rundll32.exe%' OR
        LOWER("Parent Process Name") LIKE '%regsvr32.exe%'
      )
      AND (
        LOWER("Command") LIKE '%trustedinstaller%' OR
        LOWER("Parent Command") LIKE '%trustedinstaller%'
      )
    )
  )
  AND LOGSOURCETIME BETWEEN NOW() - 86400000 AND NOW()
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Security Event Log (WinCollect) Sysmon via WinCollect Microsoft Windows DSM

Required Tables

events

False Positives

IT administrators using runas.exe for legitimate privilege escalation during maintenance tasks or software installation on endpoints.
Automated deployment or configuration management systems that legitimately invoke elevated processes through scripting engines during software provisioning.
Security tools such as vulnerability scanners or EDR agents that may spawn child processes with elevated integrity levels as part of their normal operation.

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where (%"EventID" = "1" OR %"event_id" = "1" OR %"EventCode" = "1" OR %"EventID" = "4688" OR %"event_id" = "4688")
| parse field=%"Image" "*\\*" as image_path, image_name nodrop
| parse field=%"ParentImage" "*\\*" as parent_path, parent_name nodrop
| parse field=%"NewProcessName" "*\\*" as new_proc_path, new_proc_name nodrop
| parse field=%"ParentProcessName" "*\\*" as parent_proc_path, parent_proc_name nodrop
| if (!isEmpty(image_name), image_name, new_proc_name) as process_name
| if (!isEmpty(parent_name), parent_name, parent_proc_name) as parent_process_name
| toLowerCase(process_name) as process_name_lower
| toLowerCase(parent_process_name) as parent_name_lower
| toLowerCase(%"CommandLine") as cmdline_lower
| toLowerCase(%"ParentCommandLine") as parent_cmdline_lower
| toLowerCase(%"IntegrityLevel") as integrity_lower
| eval integrity_escalation = if(
    (integrity_lower = "high" or integrity_lower = "system") and
    (
      parent_name_lower matches "*cmd.exe" or
      parent_name_lower matches "*powershell.exe" or
      parent_name_lower matches "*pwsh.exe" or
      parent_name_lower matches "*wscript.exe" or
      parent_name_lower matches "*cscript.exe" or
      parent_name_lower matches "*mshta.exe" or
      parent_name_lower matches "*rundll32.exe" or
      parent_name_lower matches "*regsvr32.exe" or
      parent_name_lower matches "*wmic.exe"
    ) and
    !(process_name_lower matches "*consent.exe" or process_name_lower matches "*werfault.exe" or process_name_lower matches "*dllhost.exe")
  , 1, 0)
| eval runas_parent = if(
    parent_name_lower matches "*runas.exe" and
    !(process_name_lower matches "*consent.exe" or process_name_lower matches "*werfault.exe")
  , 1, 0)
| eval advancedrun_tool = if(
    process_name_lower matches "*advancedrun.exe" or
    parent_name_lower matches "*advancedrun.exe"
  , 1, 0)
| eval trustedinstaller_abuse = if(
    (cmdline_lower matches "*trustedinstaller*" or parent_cmdline_lower matches "*trustedinstaller*")
  , 1, 0)
| eval suspicion_score = integrity_escalation + runas_parent + advancedrun_tool + trustedinstaller_abuse
| where suspicion_score > 0
| fields _messageTime, _sourceHost, %"User", process_name, %"CommandLine", parent_process_name, %"ParentCommandLine", integrity_lower, integrity_escalation, runas_parent, advancedrun_tool, trustedinstaller_abuse, suspicion_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (Event ID 1) Windows Security Events (Event ID 4688) Windows endpoint log collectors

Required Tables

Sumo Logic Continuous Intelligence (search index)

False Positives

Enterprise software such as PDQ Deploy, Chocolatey, or similar tools that use elevated scripting wrappers to manage installations may trigger integrity escalation detections during scheduled maintenance windows.
Security operations teams performing authorized red team exercises or penetration tests using runas.exe or Empire/Metasploit token impersonation modules.
Third-party IT management platforms (Kaseya, ConnectWise) that spawn elevated helper processes from scripting engine parents as part of remote management workflows.

Google Chronicle / SecOps

yaral

rule t1134_002_create_process_with_token {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1134.002 Create Process with Token via integrity escalation, account context switching, runas parent, or AdvancedRun.exe abuse"
    mitre_attack_technique = "T1134.002"
    mitre_attack_tactic = "Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1134/002/"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname

    (
      // Branch 1: AdvancedRun.exe - NirSoft tool abused for TrustedInstaller-level execution
      re.regex($e.target.process.file.full_path, `(?i)advancedrun\.exe$`) or
      re.regex($e.principal.process.file.full_path, `(?i)advancedrun\.exe$`)
    ) or
    (
      // Branch 2: runas.exe as parent spawning unexpected children
      re.regex($e.principal.process.file.full_path, `(?i)runas\.exe$`) and
      not re.regex($e.target.process.file.full_path, `(?i)(consent|werfault)\.exe$`)
    ) or
    (
      // Branch 3: Integrity escalation from scripting engine parent
      $e.target.process.integrity_level_rid in [12288, 16384] and  // High=0x3000, System=0x4000
      $e.principal.process.integrity_level_rid in [4096, 8192] and // Medium=0x2000, Low=0x1000
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`) and
      not re.regex($e.target.process.file.full_path, `(?i)(consent|werfault|dllhost)\.exe$`)
    ) or
    (
      // Branch 4: Account context switch from scripting engine (different user from parent)
      $e.target.process.access_token.user.userid != $e.principal.process.access_token.user.userid and
      not re.regex($e.target.process.access_token.user.userid, `(?i)(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)`) and
      not re.regex($e.principal.process.access_token.user.userid, `(?i)(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)`) and
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`)
    ) or
    (
      // Branch 5: TrustedInstaller abuse in command line
      re.regex($e.target.process.command_line, `(?i)trustedinstaller`) and
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Endpoint telemetry via Chronicle forwarder Google Chronicle UDM ingestion Sysmon logs via Chronicle

Required Tables

UDM Events (process launch type)

False Positives

Legitimate use of Windows runas.exe by helpdesk technicians performing administrative tasks on endpoints using domain admin credentials during change windows.
Software update mechanisms for enterprise applications that require elevation through scripting engine wrappers may produce integrity escalation signals on managed endpoints.
AdvancedRun.exe used legitimately by IT teams as a diagnostic tool to run processes with specific integrity levels or as a different user for troubleshooting permission issues.

CrowdStrike LogScale (CQL)

cql

// T1134.002 - Create Process with Token Detection
// Matches: integrity escalation, runas parent, AdvancedRun.exe, TrustedInstaller abuse, account context switching

#event_simpleName=ProcessRollup2
| eval process_name_lower = lower(FileName)
| eval parent_name_lower = lower(ParentBaseFileName)
| eval cmdline_lower = lower(CommandLine)
| eval parent_cmdline_lower = lower(ParentCommandLine)

// Score each detection branch
| eval integrity_escalation = if(
    (IntegrityLevel in ["High", "System"]) AND
    (parent_name_lower in ["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe"]) AND
    NOT (process_name_lower in ["consent.exe", "werfault.exe", "dllhost.exe"]),
    1, 0)

| eval runas_parent = if(
    parent_name_lower = "runas.exe" AND
    NOT (process_name_lower in ["consent.exe", "werfault.exe"]),
    1, 0)

| eval advancedrun_tool = if(
    process_name_lower = "advancedrun.exe" OR
    parent_name_lower = "advancedrun.exe",
    1, 0)

| eval trustedinstaller_abuse = if(
    match(cmdline_lower, "trustedinstaller") OR
    match(parent_cmdline_lower, "trustedinstaller"),
    1, 0)

| eval account_context_switch = if(
    UserName != ParentUserName AND
    NOT (UserName in ["SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""]) AND
    NOT (ParentUserName in ["SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""]) AND
    (parent_name_lower in ["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe"]),
    1, 0)

| eval suspicion_score = integrity_escalation + runas_parent + advancedrun_tool + trustedinstaller_abuse + account_context_switch
| where suspicion_score > 0

| eval detection_branches = array(
    if(integrity_escalation=1, "IntegrityEscalation", null()),
    if(runas_parent=1, "RunasParent", null()),
    if(advancedrun_tool=1, "AdvancedRunTool", null()),
    if(trustedinstaller_abuse=1, "TrustedInstallerAbuse", null()),
    if(account_context_switch=1, "AccountContextSwitch", null())
  )

| table
    timestamp,
    ComputerName,
    UserName,
    ParentUserName,
    FileName,
    CommandLine,
    ParentBaseFileName,
    ParentCommandLine,
    IntegrityLevel,
    suspicion_score,
    detection_branches
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Data Replicator Falcon LogScale (Humio)

Required Tables

ProcessRollup2 (#event_simpleName)

False Positives

CrowdStrike Falcon sensor self-updates or configuration changes may spawn elevated processes from scripting wrappers as part of policy enforcement, triggering integrity escalation branches.
Enterprise endpoint management suites running as SYSTEM that legitimately spawn user-context processes (context switch) during interactive session management or profile loading.
Software packaging tools like InstallShield or Advanced Installer that use elevated token creation internally during MSI package execution, especially in enterprise silent-install scenarios.

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1134.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/Theft T1134.003Make and Impersonate Token T1134.004Parent PID Spoofing T1134.005SID-History Injection

Create Process with Token

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections