Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0456: Behavior-chain detection for T1134.002 Create Process with Token (Windows)

DET0456 is a MITRE detection strategy object for behavior-chain detection of Create Process with Token, specifically the Windows-related ATT&CK technique T...

EnterpriseDET0456Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0456 is a MITRE detection strategy object for behavior-chain detection of Create Process with Token, specifically the Windows-related ATT&CK technique T1134.002. The business significance is that this behavior can indicate attempts to run a process under another user’s security context, which matters for privilege escalation, access-control bypass, and incident scoping. For leaders, the key question is not whether one alert exists, but whether the SOC can connect identity, process, and token-related activity into a defensible chain of evidence.

Executive priority

Prioritize this as an identity and endpoint detection validation item for Windows environments where privileged access, administrative workstations, or regulated systems are material to business operations. It supports incident decision-making by helping determine whether a suspicious process inherited or used another user’s security context. Because the ATT&CK object provides no official detection logic, executives should ask for evidence that current telemetry and response playbooks can prove or disprove token-based process creation rather than relying on generic process-start alerts.

Technical view

The supplied relationship states that DET0456 detects T1134.002, Create Process with Token, associated with stealth and privilege-escalation tactics on Windows. SOC and detection engineering teams should validate behavior-chain coverage around process creation events, user/security context changes, parent-child process relationships, and indicators that a process was launched using a token or credentials not normally associated with the initiating user. Detection should emphasize correlation and context, since legitimate administration tools and workflows may also create processes under alternate credentials.

Likely telemetry

  • Windows process creation telemetry with command line, parent process, user, and integrity/context fields
  • Endpoint security or EDR events showing process lineage and user/security context
  • Windows authentication and logon session evidence relevant to alternate credentials or impersonation
  • Privilege use or token-related security events where available
  • Administrative tool execution records, including runas-like behavior where collected

Detection direction

  • Validate that process creation data includes both the initiating process/user and the resulting process/user context.
  • Correlate process lineage with authentication or logon-session evidence to distinguish expected administrative use from unusual token-based execution.
  • Tune for privileged, service, administrative, or high-value accounts where a context switch has higher consequence.
  • Account for false positives from help desk activity, software deployment, administrative automation, and legitimate run-as workflows.
  • Confirm retention is sufficient for incident response to reconstruct the behavior chain, not just trigger a single real-time alert.

Mitigation priorities

  • Harden privileged access paths and limit who can create processes under alternate credentials or impersonated contexts.
  • Apply least privilege and reduce standing administrative rights on Windows systems.
  • Review administrative workflows that require alternate-user process creation and document approved patterns for SOC tuning.
  • Ensure endpoint logging, EDR configuration, and identity telemetry are aligned so investigators can correlate process, user, and session context.
  • Use detection testing or tabletop review to verify that incident responders can identify the source user, target context, affected host, and resulting process activity.
Analyst notes and limits

This take is based on the detection strategy metadata and its relationship to ATT&CK technique T1134.002, Create Process with Token. The value is primarily in validating whether the organization can observe and correlate Windows process and identity context changes associated with privilege escalation or stealthy access-control bypass behavior.

The supplied ATT&CK detection strategy has no official description, no official detection text, no explicit platforms or tactics on the detection object itself, and no vendor-specific data source requirements. Windows, stealth, and privilege-escalation context come from the related T1134.002 technique and the detection strategy name. Local environment telemetry is required to determine actual coverage.

Official MITRE ATT&CK definition

Behavior-chain detection for T1134.002 Create Process with Token (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1134.002 Create Process with Token Sub-technique This object detects Create Process with Token.
Relationship explorer

All related ATT&CK context

detects · Technique T1134.002: Create Process with Token Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
403ddbd77afa4c03...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 403ddbd77afa…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0456
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use