A process (often after stealing/creating a token) calls CreateProcessWithTokenW/CreateProcessAsUserW or uses runas to spawn a new process whose security context (SID/LogonId/IntegrityLevel) differs from its parent. Chain: (1) suspicious command/API → (2) privileged handle or token duplication/open → (3) new child process running as another user / higher integrity → (4) optional follow‑on privileged/lateral actions.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| OS API Execution (DC0021) | ETW:ProcThread | api_call: CreateProcessWithTokenW, CreateProcessAsUserW |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624, 4672 |
| Active Directory Object Modification (DC0066) | WinEventLog:DirectoryService | EventCode=5136 |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between API/handle access and the spawned process (default 5–10 minutes). |
| AllowedImpersonators | Service accounts/binaries legitimately using CreateProcessWithTokenW (e.g., PsExec service, SCCM, backup agents). |
| IntegrityEscalationDelta | Minimum jump in integrity level (e.g., Medium→System) to flag. |
| ParentChildUserMismatch | Treat any parent/child SID or LogonId mismatch as suspicious unless on allow-list. |
| SensitiveTargets | List of processes (e.g., lsass.exe, winlogon.exe, services.exe) whose token access prior to the spawn raises score. |