title: Create Process with Token (T1134.002)
id: df00tech-t1134-002
status: experimental
description: "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW, CreateProcessAsUser, and runas. Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. The token could be duplicated via Token Impersonation/Theft (T1134.001) or created via Make and Impersonate Token (T1134.003) before being used to create a new process. This technique has been observed in campaigns by Turla, Lazarus Group, KONNI, Azorult, Bankshot, REvil, WhisperGate, and Empire post-exploitation frameworks."
references:
  - https://attack.mitre.org/techniques/T1134/002/
  - https://df00tech.com/detections/T1134.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1134.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installation tools and MSI packages that legitimately spawn elevated child processes via runas.exe or UAC prompts during setup routines
  - System administration scripts that use runas to execute maintenance tasks under alternate credentials as part of a least-privilege administrative workflow
  - "IT automation platforms (SCCM, Ansible WinRM, PDQ Deploy) that execute tasks as a service account distinct from the initiating agent process, producing account context switches"
  - "Security products and EDR agents that intentionally spawn sub-processes under SYSTEM context for real-time monitoring or remediation, creating integrity level differences"
  - Developer workstations where engineers routinely use runas or IDE-triggered elevation to test code requiring elevated privilege in a controlled environment
level: high