T1134.002: T1134.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 18/02/2020 17:48 · Modified 10/04/2026 12:07

Essential information

MITRE technique ID: T1134.002
Confidence: 100/100
Revoked: No
Published: 18/02/2020 17:48
Modified: 10/04/2026 12:07
Author / Source: The MITRE Corporation

Aliases

Create Process with Token

Platforms

windows

Description

Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as `CreateProcessWithTokenW` and `runas`.(Citation: Microsoft RunAs) Creating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process. While this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	privilege-escalation

Marking (TLP)

External references

mitre-attack (T1134.002)
Microsoft RunAs
Microsoft Command-line Logging

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (11)

OP-512 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ELPACO-team uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0147 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Magic Hound uses COBALT ILLUSIONITG18

The MITRE Corporation Confidence 100

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Doppelgänger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
anubis uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
MirrorFace uses

AlienVault Confidence 100

[MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (41)

Webrat uses

Family
Gamshen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blub uses

Family
GhostKit uses

Family
SweetPotato uses

Family
Rungan uses

Family
MuddyViper uses

Family
WhisperGate uses

Family
Mekotio uses

Family
BadIIS uses

Family
PipeMon uses

Family The MITRE Corporation Confidence 100

[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)

First seen 01/01/1970 · Last seen 16/11/5138 ·
PlugX - S0013 uses

Family

← Previous

Page / 4

1–12 of 41

From PostCSS Masquerading to Windows RAT related

AlienVault Confidence 100 20 MITREs 9 IOCs 3 Observables
Agentic AI Uncovers New China-Linked Cluster OP-512 related

AlienVault Confidence 100 19 MITREs 11 Malwares 7 IOCs 7 Observables 1 APT
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's … related

AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
In-Memory Loader Drops ScreenConnect related

AlienVault Confidence 100 16 MITREs 1 Malware 4 IOCs 4 Observables
Forges Recruitment Sites, Launches Attacks on Aerospace and … related

18 MITREs 12 Observables 1 APT
Hive0147 serving juicy Picanha with a side of … related

20 MITREs 3 Malwares 20 Observables 1 APT
MirrorFace Attack against Japanese Organisations related

1 CVE 21 MITREs 2 Malwares 27 Observables 1 APT
Mid-year Doppelganger information operations in Europe and the … related

19 MITREs 200 Observables 1 APT
Exploiting CVE-2024-21412: A Stealer Campaign Unleashed related

1 CVE 16 MITREs 2 Malwares 27 Observables

Vulnerabilities (CVE) (16)

CVE-2025-59230 targets

7.8 High

Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

Published: 14/10/2025
Modified: 14/10/2025

Awaiting Analysis

CVE-2021-34527 KEV targets

Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-11499 targets

9.8 Critical

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads …

Published: 01/11/2025
Modified: 04/11/2025

Awaiting Analysis

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

← Previous

Page / 2

13–16 of 16

T1134 subtechnique-of

Access Token Manipulation MITRE

Tool (2)

Empire uses

The MITRE Corporation Confidence 100

[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
PoshC2 uses

The MITRE Corporation Confidence 100

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…

Course Of Action (2)

User Account Management mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use