| ID | Name |
|---|---|
| ATAGS-T1079.001 | Create Process with Token |
| ATAGS-T1079.002 | Make and Impersonate Token |
| ATAGS-T1079.003 | Parent PID Spoofing |
| ATAGS-T1079.004 | SID-History Injection |
| ATAGS-T1079.005 | Token Impersonation/Theft |
Threat Actors may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.