Process Created with an Elevated Token
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
Process Created with an Elevated Token
editIdentifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
- Resources: Investigation Guide
Version: 12
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Process Created with an Elevated Token
Possible investigation steps
- What SYSTEM token path did the alert record?
- Why: CreateProcessWithTokenW-style abuse creates a process in a supplied token context, so child, OS parent, and effective parent must be interpreted together.
-
Focus:
user.id,process.executable,process.command_line,process.parent.executable, andprocess.Ext.effective_parent.executable. -
Implication: escalate when a payload or unusual command runs as
S-1-5-18through a Windows effective parent without one exact recognized workflow; lower suspicion only when child, OS parent, and effective parent all bind to the same vendor, update, accessibility, or test activity. - Does the OS parent explain why another token was used?
-
Focus:
process.parent.executable,process.parent.command_line,process.parent.code_signature.subject_name, and lineage when needed. - Implication: escalate when the parent is user-writable, script-driven, remote-tool initiated, unexpectedly signed, or unrelated to the effective parent; lower suspicion when it is a stable signed helper for the same component.
- Is the created process identity consistent with that workflow?
-
Focus:
process.executable,process.hash.sha256,process.pe.original_file_name, andprocess.code_signature.subject_name. - Implication: escalate when the SYSTEM child has an unexpected signer, user-writable path, new hash, or PE-name mismatch; lower suspicion when signer, hash history, path, and parent context all fit the same component.
- Does the token and session context explain the SYSTEM child?
- Why: CreateProcessWithTokenW, CreateProcessAsUserW, and runas-style abuse can look ordinary unless token/session context is compared with lineage.
-
Focus:
process.Ext.authentication_id,process.Ext.session_info.logon_type,process.Ext.token.integrity_level_name,process.Ext.token.elevation_level, anduser.id. - Implication: escalate when SYSTEM or full-integrity execution appears in a logon/session context disconnected from parent or effective parent; lower suspicion when token level and session type match the same service, update, accessibility, or test component.
- Did the process tree show staging or immediate follow-on execution?
- Why: token reuse after the first child makes repeated SYSTEM children or fresh executable timing a scope-expansion trigger.
-
Focus: same-
host.idchild process starts fromprocess.entity_id; review childprocess.executable,process.command_line,process.Ext.relative_file_creation_time, andprocess.Ext.relative_file_name_modify_time. !{investigate{"description":"","label":"Child process starts from the SYSTEM process","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}} -
Hint: if hash or relative-time values are empty, scope with
process.executable,process.command_line,process.parent.executable, andprocess.Ext.effective_parent.executable; broaden only when local evidence stays suspicious or unresolved. - !{investigate{"description":"","label":"Process events for the same token-creation pattern","providers":[[{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"},{"excluded":false,"field":"process.executable","queryType":"phrase","value":"{{process.executable}}","valueType":"string"},{"excluded":false,"field":"process.parent.executable","queryType":"phrase","value":"{{process.parent.executable}}","valueType":"string"},{"excluded":false,"field":"process.Ext.effective_parent.executable","queryType":"phrase","value":"{{process.Ext.effective_parent.executable}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
- !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
- !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
- Implication: escalate when the SYSTEM child launches shells, script interpreters, security tools, freshly created or renamed executables, or the same token-creation pattern on unrelated hosts; lower suspicion when descendants and recurrence stay inside the same component pattern.
- What disposition is supported?
-
Escalate on conflict across child command, parent/effective-parent pair, identity, token/session, or descendants. Close only when the same signed component explains all categories on this
host.id; preserve and escalate when any element is missing or contradictory.
False positive analysis
- Treat this alert as unusual until alert-local process evidence proves one component expected to create a SYSTEM process from another token, such as an unexcluded vendor support or accessibility helper, updater/installer, print or error-reporting component, or authorized security test.
-
Confirm benign activity only when identity, parentage, token context, and scope all point to that component:
process.executable,process.hash.sha256,process.code_signature.subject_name,process.parent.executable,process.Ext.effective_parent.executable,user.id, andhost.id. A trusted signer, Windows path, or component label alone is insufficient. -
Before adding an exception, validate that the exact child/parent/effective-parent pattern is stable for the same host or managed host group. Build from minimum stable fields, avoiding broad exceptions on
process.name,user.name, or?:\Windows\*.exealone.
Response and remediation
-
Preserve evidence first: export the alert, process tree,
process.entity_id,process.pid, command lines, hashes, signer details, token/session fields, and any descendant process records before containment or process termination. - If suspicious but unconfirmed, preserve and scope first. Use reversible containment such as host isolation only when the SYSTEM child is still running, spawning descendants, or recurring beyond one validated workflow; otherwise keep the host connected for evidence collection while escalating.
- If malicious activity is confirmed, contain the host, block or quarantine confirmed malicious hashes or executables, and suspend or terminate the SYSTEM child only after recording its identifiers and collecting needed memory or file evidence.
- Eradicate only artifacts and configuration changes identified during investigation or incident response. Remediate the entry path that obtained or duplicated the token, and reset credentials only for accounts tied to confirmed misuse.
- After recovery, document the confirmed benign workflow or malicious child/parent/effective-parent pattern, and keep any exception scoped to the stable fields that proved the case.
Setup
editSetup
This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
Setup instructions: https://ela.st/install-elastic-defend
Rule query
editprocess where host.os.type == "windows" and event.action == "start" and
/* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
user.id == "S-1-5-18" and process.parent.executable != null and
/* Token Theft target process usually running as service are located in one of the following paths */
process.Ext.effective_parent.executable : "?:\\Windows\\*.exe" and
/* Ignores Utility Manager in Windows running in debug mode */
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
not (process.parent.executable : ("?:\\Windows\\System32\\spoolsv.exe", "?:\\Windows\\System32\\PrintIsolationHost.exe") and
process.executable: ("?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\spool\\drivers\\*.exe",
"?:\\Windows\\System32\\ROUTE.EXE")) and
/* Ignores Windows error reporting executables */
not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFaultSecure.exe",
"?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
"?:\\windows\\system32\\WerMgr.exe",
"?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
/* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
"?:\\Windows\\WinSxS\\*.exe",
"?:\\Windows\\System32\\inetsrv\\iissetup.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
"?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
"?:\\Windows\\System32\\lodctr.exe",
"?:\\Windows\\SysWOW64\\lodctr.exe",
"?:\\Windows\\System32\\netcfg.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
/* Ignores additional parent executables that run with elevated privileges */
not process.parent.executable :
("?:\\Windows\\System32\\AtBroker.exe",
"?:\\Windows\\system32\\svchost.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\DriverStore\\*",
"?:\\Windows\\LTSvc\\*\\Update.exe") and
/* Ignores Windows binaries with a trusted signature and specific signature name */
not (process.code_signature.trusted == true and
process.code_signature.subject_name :
("philandro Software GmbH",
"Freedom Scientific Inc.",
"TeamViewer Germany GmbH",
"Projector.is, Inc.",
"TeamViewer GmbH",
"Cisco WebEx LLC",
"Dell Inc",
"Sophos Ltd",
"Sophos Limited",
"Brother Industries, Ltd.",
"MILVUS INOVACOES EM SOFTWARE LTDA",
"Chocolatey Software, Inc")) and
not (process.Ext.effective_parent.executable : "?:\\Windows\\servicing\\TrustedInstaller.exe" and
process.executable : "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe") and
not process.Ext.effective_parent.executable : "?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/
-
Sub-technique:
- Name: Create Process with Token
- ID: T1134.002
- Reference URL: https://attack.mitre.org/techniques/T1134/002/