Access Token Manipulation: Create Process with Token


Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.

Products, Sensors, and Dependencies

ProductDependenciesData sourceAccess requiredProtocolData CollectedNotes
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanSMBInteractive loginsPlugin ID: 161502
Tenable.ioAdvanced Network ScanWindows machinesAuthenticated ScanWMIActive sessionPlugin ID: 92373


Nessus Plugins:Microsoft Windows SMB Sessions

Microsoft Windows SMB Sessions

Windows Create token object  - Ensure 'Create a token object' is set to 'No One'

Attack Path Technique Details

Framework: MITRE ATT&CK

Family: Defense Evasion, Privilege Escalation

Platform: Windows

Products Required:

Tenable Release Date: 2022 Q2