Skip to content
Threat Feed
medium advisory

Process Created with a Duplicated Token

This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.

This detection rule identifies the creation of a process impersonating the token of another user logon session on Windows. Adversaries may duplicate tokens to create processes with elevated privileges, bypassing security controls. This technique is used for privilege escalation. The rule flags suspicious process creation by examining token usage patterns, process origins, and recent file modifications, while excluding known legitimate behaviors, to flag potential privilege escalation attempts. The rule is designed for data generated by Elastic Endpoint 8.4+.

Attack Chain

  1. An attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.
  2. The attacker identifies a user logon session with higher privileges than their current session.
  3. The attacker duplicates the token of the identified user logon session using API calls like DuplicateTokenEx.
  4. The attacker uses the duplicated token to create a new process using CreateProcessWithTokenW.
  5. The new process inherits the privileges of the duplicated token.
  6. The attacker executes malicious commands or tools within the context of the newly created process.
  7. The attacker gains elevated privileges on the system, allowing them to perform actions they were previously unauthorized to do.

Impact

Successful exploitation allows an attacker to escalate privileges on the compromised system, potentially gaining administrative or system-level access. This can lead to unauthorized access to sensitive data, installation of malware, lateral movement to other systems on the network, and ultimately, complete control over the affected environment.

Recommendation

  • Enable Elastic Defend to collect the necessary process creation and event data to activate this rule.
  • Deploy the Sigma rule Detect Process Created with a Duplicated Token to your SIEM and tune for your environment.
  • Investigate any alerts generated by the rule, focusing on processes with unusual parent-child relationships or unsigned code.

Detection coverage 2

Detect Process Created with a Duplicated Token

medium

Detects the creation of a process with a token from another user session, indicating potential privilege escalation

sigma tactics: privilege_escalation techniques: T1134.002 sources: process_creation, windows

Detect Potential Token Impersonation via Relative File Activity

medium

Detects processes potentially impersonating tokens based on short relative file activity times.

sigma tactics: privilege_escalation techniques: T1134.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →