Detect Create Process with Token in Google Chronicle
Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW, CreateProcessAsUser, and runas. Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. The token could be duplicated via Token Impersonation/Theft (T1134.001) or created via Make and Impersonate Token (T1134.003) before being used to create a new process. This technique has been observed in campaigns by Turla, Lazarus Group, KONNI, Azorult, Bankshot, REvil, WhisperGate, and Empire post-exploitation frameworks.
MITRE ATT&CK
- Technique
- T1134 Access Token Manipulation
- Sub-technique
- T1134.002 Create Process with Token
- Canonical reference
- https://attack.mitre.org/techniques/T1134/002/
YARA-L Detection Query
rule t1134_002_create_process_with_token {
meta:
author = "Argus Detection Engineering"
description = "Detects T1134.002 Create Process with Token via integrity escalation, account context switching, runas parent, or AdvancedRun.exe abuse"
mitre_attack_technique = "T1134.002"
mitre_attack_tactic = "Privilege Escalation"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1134/002/"
created = "2025-01-01"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname = $hostname
(
// Branch 1: AdvancedRun.exe - NirSoft tool abused for TrustedInstaller-level execution
re.regex($e.target.process.file.full_path, `(?i)advancedrun\.exe$`) or
re.regex($e.principal.process.file.full_path, `(?i)advancedrun\.exe$`)
) or
(
// Branch 2: runas.exe as parent spawning unexpected children
re.regex($e.principal.process.file.full_path, `(?i)runas\.exe$`) and
not re.regex($e.target.process.file.full_path, `(?i)(consent|werfault)\.exe$`)
) or
(
// Branch 3: Integrity escalation from scripting engine parent
$e.target.process.integrity_level_rid in [12288, 16384] and // High=0x3000, System=0x4000
$e.principal.process.integrity_level_rid in [4096, 8192] and // Medium=0x2000, Low=0x1000
re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`) and
not re.regex($e.target.process.file.full_path, `(?i)(consent|werfault|dllhost)\.exe$`)
) or
(
// Branch 4: Account context switch from scripting engine (different user from parent)
$e.target.process.access_token.user.userid != $e.principal.process.access_token.user.userid and
not re.regex($e.target.process.access_token.user.userid, `(?i)(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)`) and
not re.regex($e.principal.process.access_token.user.userid, `(?i)(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)`) and
re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`)
) or
(
// Branch 5: TrustedInstaller abuse in command line
re.regex($e.target.process.command_line, `(?i)trustedinstaller`) and
re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|msiexec|wmic)\.exe$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1134.002 Create Process with Token through five behavioral branches: AdvancedRun.exe tool usage, runas.exe parent chains, integrity level escalation from scripting engines, cross-account process spawning, and TrustedInstaller command-line abuse.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate use of Windows runas.exe by helpdesk technicians performing administrative tasks on endpoints using domain admin credentials during change windows.
- Software update mechanisms for enterprise applications that require elevation through scripting engine wrappers may produce integrity escalation signals on managed endpoints.
- AdvancedRun.exe used legitimately by IT teams as a diagnostic tool to run processes with specific integrity levels or as a different user for troubleshooting permission issues.
Other platforms for T1134.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Process Creation via runas with Alternate User Token
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with User=<hostname>\TestUser and IntegrityLevel=Medium, with ParentImage=runas.exe. Security Event 4648 (Explicit credentials used) with TargetUserName=TestUser, ProcessName=C:\Windows\System32\runas.exe, LogonType=9 (NewCredentials). Security Event 4624 (Logon successful) with LogonType=9 for the new TestUser session. Security Event 4672 if TestUser is in any privileged group.
- Test 2AdvancedRun.exe for TrustedInstaller-Level Process Execution
Expected signal: Sysmon Event ID 1 (AdvancedRun.exe launch): Image=AdvancedRun.exe from %TEMP%, IntegrityLevel=Medium. Sysmon Event ID 1 (cmd.exe spawn): Image=cmd.exe, User=NT SERVICE\TrustedInstaller, IntegrityLevel=System, ParentImage=AdvancedRun.exe. Sysmon Event ID 11: file creation at C:\Temp\ti-test.txt by cmd.exe running as TrustedInstaller. Prefetch file created at C:\Windows\Prefetch\ADVANCEDRUN.EXE-*.pf.
- Test 3WTSQueryUserToken Pattern via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with IntegrityLevel=Medium (or System if launched via PsExec -s). PowerShell ScriptBlock Event ID 4104: records the Add-Type definition including 'WTSQueryUserToken' and 'WTSGetActiveConsoleSessionId'. Sysmon Event ID 7 (Image Load): Wtsapi32.dll loaded by powershell.exe — this DLL load by a scripting engine is an anomaly indicator. If running as SYSTEM, Security Event 4624 with LogonType=9 follows the successful token query.
- Test 4Token Theft via PowerShell and CreateProcessAsUser (Invoke-RunAs simulation)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the -ExecutionPolicy Bypass flag. PowerShell ScriptBlock Event ID 4104: records the Add-Type definition containing 'OpenProcessToken', 'DuplicateTokenEx', 'CreateProcessWithTokenW'. Sysmon Event ID 7 (Image Load): advapi32.dll invoked via P/Invoke by powershell.exe for token manipulation. If run from elevated context, Security Event 4673 (Sensitive Privilege Use) for SeImpersonatePrivilege use.
References (9)
- https://attack.mitre.org/techniques/T1134/002/
- https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw
- https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
- https://docs.microsoft.com/en-us/windows/win32/api/wtsapi32/nf-wtsapi32-wtsqueryusertoken
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)
Unlock Pro Content
Get the full detection package for T1134.002 including response playbook, investigation guide, and atomic red team tests.