T1134.002: T1134.002

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 10/04/2026 12:07

Essential information

MITRE technique ID: T1134.002
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 10/04/2026 12:07
Author / Source: The MITRE Corporation

Aliases

Create Process with Token

Platforms

windows

Description

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as `CreateProcessWithTokenW` and `runas`.(Citation: Microsoft RunAs) Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process. While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1134.002)
Microsoft RunAs
Microsoft Command-line Logging

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (11)

OP-512 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ELPACO-team uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0147 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Doppelgänger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
anubis uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (41)

Webrat uses

Family
Gamshen uses

Family
Blub uses

Family
GhostKit uses

Family
SweetPotato uses

Family
Rungan uses

Family
MuddyViper uses

Family
WhisperGate uses

Family
Mekotio uses

Family
BadIIS uses

Family
PipeMon uses
PlugX - S0013 uses

Family

← Previous

Page / 4

1–12 of 41

From PostCSS Masquerading to Windows RAT related

AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's … related

AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
In-Memory Loader Drops ScreenConnect related

AlienVault Confidence 100 16 MITREs 1 Malware 4 IOCs 4 Observables
Forges Recruitment Sites, Launches Attacks on Aerospace and … related

18 MITREs 12 Observables 1 APT
Hive0147 serving juicy Picanha with a side of … related

20 MITREs 3 Malwares 20 Observables 1 APT
MirrorFace Attack against Japanese Organisations related

1 CVE 21 MITREs 2 Malwares 27 Observables 1 APT
Mid-year Doppelganger information operations in Europe and the … related

19 MITREs 200 Observables 1 APT
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed related

1 CVE 16 MITREs 2 Malwares 27 Observables

Vulnerabilities (CVE) (16)

CVE-2025-12595 targets

7.4 High

A weakness has been identified in Tenda AC23 16.03.07.52. This impacts the function formSetVirtualSer of the file /goform/SetVirtualServerCfg. This manipulation of the …

Published: 02/11/2025
Modified: 05/11/2025

Analyzed

CVE-2025-11833 targets

9.8 Critical

The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized …

Published: 01/11/2025
Modified: 04/11/2025

Awaiting Analysis

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2025-55234 targets

CVE-2025-10294 targets

9.8 Critical

The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is …

Published: 15/10/2025
Modified: 15/10/2025

Received

CVE-2025-54897 targets

CVE-2025-54106 targets

CVE-2024-21412 KEV targets

8.1 High

Microsoft Windows Internet Shortcut Files contains an unspecified vulnerability that allows for a security feature bypass.

Attack vector: Network
Published: 13/02/2024
Modified: 27/05/2026

CVE-2022-1388 KEV targets

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published: 10/05/2022
Modified: 20/12/2025

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2025-12596 targets

7.4 High

A security vulnerability has been detected in Tenda AC23 16.03.07.52. Affected is the function saveParentControlInfo of the file /goform/saveParentControlInfo. Such manipulation of …

Published: 02/11/2025
Modified: 05/11/2025

Analyzed

CVE-2025-59295 targets

8.8 High

Heap-based buffer overflow in Internet Explorer allows an unauthorized attacker to execute code over a network.

Published: 14/10/2025
Modified: 14/10/2025

Awaiting Analysis

← Previous

Page / 2

1–12 of 16

T1134 subtechnique-of

Access Token Manipulation MITRE

Tool (2)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (2)

User Account Management mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use