Skip to content

DET0456 Behavior-chain detection for T1134.002 Create Process with Token (Windows)

Item Value
ID DET0456
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1134.002 (Create Process with Token)

Analytics

Windows

AN1253

A process (often after stealing/creating a token) calls CreateProcessWithTokenW/CreateProcessAsUserW or uses runas to spawn a new process whose security context (SID/LogonId/IntegrityLevel) differs from its parent. Chain: (1) suspicious command/API → (2) privileged handle or token duplication/open → (3) new child process running as another user / higher integrity → (4) optional follow‑on privileged/lateral actions.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
OS API Execution (DC0021) ETW:ProcThread api_call: CreateProcessWithTokenW, CreateProcessAsUserW
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672, 4634
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=5136
Mutable Elements
Field Description
TimeWindow Correlation window between API/handle access and the spawned process (default 5–10 minutes).
AllowedImpersonators Service accounts/binaries legitimately using CreateProcessWithTokenW (e.g., PsExec service, SCCM, backup agents).
IntegrityEscalationDelta Minimum jump in integrity level (e.g., Medium→System) to flag.
ParentChildUserMismatch Treat any parent/child SID or LogonId mismatch as suspicious unless on allow-list.
SensitiveTargets List of processes (e.g., lsass.exe, winlogon.exe, services.exe) whose token access prior to the spawn raises score.