T1134.002 Microsoft Sentinel · KQL

Detect Create Process with Token in Microsoft Sentinel

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW, CreateProcessAsUser, and runas. Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. The token could be duplicated via Token Impersonation/Theft (T1134.001) or created via Make and Impersonate Token (T1134.003) before being used to create a new process. This technique has been observed in campaigns by Turla, Lazarus Group, KONNI, Azorult, Bankshot, REvil, WhisperGate, and Empire post-exploitation frameworks.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1134 Access Token Manipulation
Sub-technique
T1134.002 Create Process with Token
Canonical reference
https://attack.mitre.org/techniques/T1134/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousScriptParents = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "wmic.exe"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Branch 1: Integrity level escalation — child runs High/System but parent is Medium/Low
    // and that parent is a scripting engine with no legitimate elevation path
    (ProcessIntegrityLevel in ("High", "System")
     and InitiatingProcessIntegrityLevel in ("Medium", "Low")
     and InitiatingProcessFileName in~ (SuspiciousScriptParents)
     and FileName !in~ ("consent.exe", "werfault.exe", "dllhost.exe"))
    or
    // Branch 2: Account context switch — process runs as a different named user than its parent
    // Excludes well-known service accounts which legitimately change user context
    (AccountName != InitiatingProcessAccountName
     and not (AccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
     and not (InitiatingProcessAccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
     and InitiatingProcessFileName in~ (SuspiciousScriptParents))
    or
    // Branch 3: runas.exe acting as parent — explicit token-based process creation
    // Excludes expected child processes of a normal runas UAC flow
    (InitiatingProcessFileName =~ "runas.exe"
     and FileName !in~ ("consent.exe", "werfault.exe"))
    or
    // Branch 4: AdvancedRun.exe — NirSoft utility weaponized by WhisperGate for TrustedInstaller-level execution
    (FileName =~ "AdvancedRun.exe"
     or InitiatingProcessFileName =~ "AdvancedRun.exe")
)
| extend
    IntegrityEscalation = (ProcessIntegrityLevel in ("High", "System")
        and InitiatingProcessIntegrityLevel in ("Medium", "Low")
        and InitiatingProcessFileName in~ (SuspiciousScriptParents)
        and FileName !in~ ("consent.exe", "werfault.exe", "dllhost.exe")),
    AccountContextSwitch = (AccountName != InitiatingProcessAccountName
        and not (AccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
        and not (InitiatingProcessAccountName has_any ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", ""))
        and InitiatingProcessFileName in~ (SuspiciousScriptParents)),
    RunasParent = (InitiatingProcessFileName =~ "runas.exe"
        and FileName !in~ ("consent.exe", "werfault.exe")),
    AdvancedRunTool = (FileName =~ "AdvancedRun.exe" or InitiatingProcessFileName =~ "AdvancedRun.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessAccountName,
         FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ProcessIntegrityLevel, InitiatingProcessIntegrityLevel,
         IntegrityEscalation, AccountContextSwitch, RunasParent, AdvancedRunTool
| sort by Timestamp desc
high severity medium confidence

Detects process creation with token substitution using Microsoft Defender for Endpoint (MDE) DeviceProcessEvents. Covers four behavioral patterns: (1) integrity level escalation where a child process runs at High or System integrity despite being spawned by a medium-integrity scripting engine, indicating token replacement rather than a standard UAC elevation; (2) account context switching between parent and child process through scripting interpreters — a direct behavioral signature of CreateProcessAsUser or CreateProcessWithTokenW substituting the calling thread's token; (3) runas.exe acting as a parent process for token-based spawning; and (4) AdvancedRun.exe, a NirSoft utility weaponized by WhisperGate and similar malware for TrustedInstaller-level process execution. ProcessIntegrityLevel and InitiatingProcessIntegrityLevel are native MDE DeviceProcessEvents fields that expose the Windows Mandatory Integrity Level assigned to each process.

Data Sources

Process: Process CreationProcess: OS API ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Software installation tools and MSI packages that legitimately spawn elevated child processes via runas.exe or UAC prompts during setup routines
  • System administration scripts that use runas to execute maintenance tasks under alternate credentials as part of a least-privilege administrative workflow
  • IT automation platforms (SCCM, Ansible WinRM, PDQ Deploy) that execute tasks as a service account distinct from the initiating agent process, producing account context switches
  • Security products and EDR agents that intentionally spawn sub-processes under SYSTEM context for real-time monitoring or remediation, creating integrity level differences
  • Developer workstations where engineers routinely use runas or IDE-triggered elevation to test code requiring elevated privilege in a controlled environment
Download portable Sigma rule (.yml)

Other platforms for T1134.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Process Creation via runas with Alternate User Token

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with User=<hostname>\TestUser and IntegrityLevel=Medium, with ParentImage=runas.exe. Security Event 4648 (Explicit credentials used) with TargetUserName=TestUser, ProcessName=C:\Windows\System32\runas.exe, LogonType=9 (NewCredentials). Security Event 4624 (Logon successful) with LogonType=9 for the new TestUser session. Security Event 4672 if TestUser is in any privileged group.

  2. Test 2AdvancedRun.exe for TrustedInstaller-Level Process Execution

    Expected signal: Sysmon Event ID 1 (AdvancedRun.exe launch): Image=AdvancedRun.exe from %TEMP%, IntegrityLevel=Medium. Sysmon Event ID 1 (cmd.exe spawn): Image=cmd.exe, User=NT SERVICE\TrustedInstaller, IntegrityLevel=System, ParentImage=AdvancedRun.exe. Sysmon Event ID 11: file creation at C:\Temp\ti-test.txt by cmd.exe running as TrustedInstaller. Prefetch file created at C:\Windows\Prefetch\ADVANCEDRUN.EXE-*.pf.

  3. Test 3WTSQueryUserToken Pattern via PowerShell P/Invoke

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with IntegrityLevel=Medium (or System if launched via PsExec -s). PowerShell ScriptBlock Event ID 4104: records the Add-Type definition including 'WTSQueryUserToken' and 'WTSGetActiveConsoleSessionId'. Sysmon Event ID 7 (Image Load): Wtsapi32.dll loaded by powershell.exe — this DLL load by a scripting engine is an anomaly indicator. If running as SYSTEM, Security Event 4624 with LogonType=9 follows the successful token query.

  4. Test 4Token Theft via PowerShell and CreateProcessAsUser (Invoke-RunAs simulation)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the -ExecutionPolicy Bypass flag. PowerShell ScriptBlock Event ID 4104: records the Add-Type definition containing 'OpenProcessToken', 'DuplicateTokenEx', 'CreateProcessWithTokenW'. Sysmon Event ID 7 (Image Load): advapi32.dll invoked via P/Invoke by powershell.exe for token manipulation. If run from elevated context, Security Event 4673 (Sensitive Privilege Use) for SeImpersonatePrivilege use.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1134.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1134Access Token Manipulation

Related Sub-techniques

T1134.001Token Impersonation/TheftT1134.003Make and Impersonate TokenT1134.004Parent PID SpoofingT1134.005SID-History Injection

Related Techniques

T1134Access Token ManipulationT1134.001Token Impersonation/TheftT1134.003Make and Impersonate TokenT1134.004Parent PID SpoofingT1548.002Bypass User Account ControlT1055Process InjectionT1003.001LSASS MemoryT1078.002Domain AccountsT1569.002Service Execution

Same Tactic: Defense Evasion

Popular Detections