Create Process with Token

Information

• Name: Create Process with Token

• ID: T1134.002

• Tactics: TA0005, TA0004

• Technique: T1134

Introduction

The MITRE ATT&CK sub-technique "Create Process with Token" (T1134.002) refers to adversaries creating new processes by duplicating tokens from existing processes. This technique enables attackers to escalate privileges, impersonate legitimate users or services, and bypass security controls. By leveraging this method, adversaries can execute malicious activities under the context of another user or system account, thereby obscuring their identity and actions.

Deep Dive Into Technique

Adversaries utilize token manipulation to execute processes under different security contexts. Tokens are Windows objects that define the security context of a user or system process, including user identity, privileges, and group memberships. Attackers typically follow these steps:

• Identify Suitable Process Tokens:

  • Enumerate running processes to identify tokens with elevated privileges or desirable access.

  • Commonly targeted tokens include SYSTEM, administrator, or service account tokens.

• Duplicate or Steal Tokens:

  • Utilize Windows API functions such as OpenProcessToken, DuplicateToken, or DuplicateTokenEx to duplicate tokens from existing processes.

  • Tools like Meterpreter, Cobalt Strike, PowerSploit, Mimikatz, and custom scripts commonly facilitate token duplication.

• Create New Processes Using Stolen Tokens:

  • Invoke APIs such as CreateProcessWithTokenW or CreateProcessAsUser to launch new processes under the security context of the duplicated token.

  • This allows the attacker to perform actions with the privileges and permissions of the targeted account.

• Impersonation and Privilege Escalation:

  • Attackers leverage this technique to escalate privileges from standard user accounts to administrative or SYSTEM-level privileges.

  • Adversaries can impersonate legitimate users or services, bypassing access controls and audit mechanisms.

When this Technique is Usually Used

Attackers commonly employ "Create Process with Token" across various stages of the cyber kill chain, including:

• Privilege Escalation:

  • Elevating privileges from standard user accounts to administrator or SYSTEM accounts.

• Defense Evasion:

  • Hiding malicious activity by impersonating legitimate user accounts or system services.

  • Bypassing security controls that rely on user identity or access controls.

• Lateral Movement:

  • Moving laterally within the network using tokens stolen from compromised hosts or credentials.

  • Executing commands and processes remotely with impersonated privileges.

• Persistence:

  • Establishing persistent access by creating processes or scheduled tasks with elevated privileges.

• Credential Access:

  • Accessing sensitive resources or data by impersonating authorized users.

How this Technique is Usually Detected

Detection of "Create Process with Token" involves monitoring and analyzing system events, processes, and security logs. Key detection mechanisms include:

• Event Log Monitoring:

  • Monitor Windows Security Event Logs (e.g., Event ID 4624 for logon events, Event ID 4688 for process creation).

  • Investigate unusual or anomalous logon types, especially Type 9 (NewCredentials) or Type 2 (Interactive), associated with unexpected processes.

• Endpoint Detection and Response (EDR) Tools:

  • Utilize EDR solutions to detect suspicious process creation and token usage.

  • Identify processes spawned under unusual contexts or with unexpected parent-child relationships.

• Process and Token Anomaly Detection:

  • Monitor for processes executing under tokens that do not match typical user behavior or expected privilege levels.

  • Detect usage of specific API calls (CreateProcessWithTokenW, DuplicateTokenEx) indicative of token manipulation.

• Behavioral Analysis and Threat Hunting:

  • Establish baselines for normal user and process behavior to detect deviations.

  • Conduct proactive threat hunting activities focusing on unusual privilege escalation activities or token-related anomalies.

• Indicators of Compromise (IoCs):

  • Unusual processes running with elevated privileges.

  • Processes spawned from unexpected parent processes.

  • Presence of known hacking tools (e.g., Mimikatz, PowerSploit, Meterpreter) on endpoints.

Why it is Important to Detect This Technique

Detecting "Create Process with Token" is crucial due to its potentially severe impacts on system security and integrity:

• Privilege Escalation Risks:

  • Attackers can escalate privileges and gain unrestricted access to sensitive system resources, leading to complete system compromise.

• Credential Theft and Abuse:

  • Enables adversaries to impersonate legitimate users or services, facilitating unauthorized access to sensitive data and resources.

• Defense Evasion and Detection Challenges:

  • Attackers can evade traditional security controls by executing processes under legitimate user contexts, complicating detection and response efforts.

• Lateral Movement and Network Compromise:

  • Facilitates lateral movement within networks, potentially leading to widespread compromise and data breaches.

• Operational and Reputational Impacts:

  • Early detection prevents significant operational disruptions, financial losses, and reputational damage associated with successful breaches.

Examples

Real-world examples illustrating the use of "Create Process with Token" include:

• APT29 (Cozy Bear):

  • Utilized tools such as Mimikatz and PowerShell scripts to duplicate tokens and execute processes with elevated privileges, facilitating lateral movement and privilege escalation during cyber espionage operations.

• FIN7 Cybercrime Group:

  • Leveraged Meterpreter sessions to duplicate tokens from legitimate user processes, enabling privilege escalation and lateral movement across compromised networks to exfiltrate sensitive financial data.

• TrickBot Malware:

  • Employed token manipulation techniques to escalate privileges, execute malicious processes under SYSTEM privileges, and maintain persistence on infected hosts.

• Cobalt Strike Framework:

  • Commonly used by threat actors to duplicate tokens and spawn new processes with impersonated privileges, facilitating stealthy lateral movement and defense evasion.

• Conti Ransomware Group:

  • Utilized token stealing and impersonation techniques to escalate privileges, spread ransomware payloads across enterprise networks, and evade detection during ransomware attacks.