Detections
Analytics
Access Token Manipulation: Create Process with Token
Description
Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Interactive logins | Plugin ID: 161502 |
| Tenable.io | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Active session | Plugin ID: 92373 |
References
Nessus Plugins:Microsoft Windows SMB Sessions
Microsoft Windows SMB Sessions
Windows Create token object - Ensure 'Create a token object' is set to 'No One'
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Defense Evasion, Privilege Escalation
Technique: Access Token Manipulation
Sub-Technique: Create Process with Token
Platform: Windows
Products Required: Tenable.io
Tenable Release Date: 2022 Q2