# T1134.002 Create Process with Token

-----------------------------------------------------------------------

## Technique Description

Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)

Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).

## Technique Detection

If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the <code>runas</code> command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)

If an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.

Analysts can also monitor for use of Windows APIs such as <code>CreateProcessWithTokenW</code> and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

-----------------------------------------------------------------------

### Tactics:

  * Defense-Evasion

  * Privilege-Escalation

### Platforms:

  * Windows

### Defenses Bypassed:

  * Windows User Account Control

  * System access controls

  * File system access controls

### Data Sources:

  * **Command:** Command Execution

  * **Process:** OS API Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call <code>CreateProcessAsUserA</code> under that user's context.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors can impersonate or steal process tokens before executing commands.(Citation: ESET Turla PowerShell May 2019)	| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1134/002)

  * [Microsoft Runas](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)), Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.

  * [Microsoft Command-Line Logging](https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing), Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 20 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Matthew A Taylor 

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla will attempt to create processes with stolen/duplicated tokens.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Sensor location

## Analytical References

  * https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.
- If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.
- If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.

#### Analytic 1

  * **Information:** Checking for the use of powershell commands.

  * **Source:** Windows Logs

  * **Tool:** Kibana

  * **Notes:** N/A
  
  * **Query:** ```	Event_ID:1 AND command.line:*CreateProcessWithTokenW*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- N/A

#### Analytic 1

  * **Information:** Turla has been known to utilize an RPC backdoor to exfiltrate the tokens for use.

  * **Source:** PCAP

  * **Tool:** Moloch

  * **Notes:** N/A

  * **Query:** ```protocols==[smb, dcerpc] && ip!=<internal>```

