Suspicious SeIncreaseBasePriorityPrivilege Use

 1[metadata]
 2creation_date = "2025/09/25"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2025/09/25"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to
11hijack execution flow of a process via threats priority manipulation.
12"""
13from = "now-9m"
14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Suspicious SeIncreaseBasePriorityPrivilege Use"
18note = """## Triage and analysis
19
20### Investigating Suspicious SeIncreaseBasePriorityPrivilege Use
21
22SeIncreaseBasePriorityPrivilege allows to increase the priority of processes running on the system so that the CPU scheduler allows them to pre-empt other lower priority processes when the higher priority process has something to do.
23
24### Possible investigation steps
25
26- Review the process.executable reputation and it's execution chain.
27- Investiguate if the SubjectUserName is expected to perform this action.
28- Correlate the event with other security alerts or logs to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.
29- Check the agent health status and verify if there is any tampering with endpoint security processes.
30
31### False positive analysis
32
33- Administrative tasks involving legitimate CPU scheduling priority changes.
34
35### Response and remediation
36
37- Immediately isolate the affected machine from the network to prevent further unauthorized access or lateral movement within the domain.
38- Terminate the processes involved in the execution chain.
39- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
40references = [
41    "https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main",
42    "https://x.com/sixtyvividtails/status/1970721197617717483",
43    "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4674"
44]
45risk_score = 73
46rule_id = "6fa0f15b-1926-419b-8de2-fce1429797ba"
47setup = """## Setup
48
49Ensure advanced audit policies for Windows are enabled, specifically:
50Audit Sensitive Privilege Use [Event ID 4674](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4674) (An operation was attempted on a privileged object.)

 1"""
 2severity = "high"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Privilege Escalation",
 8    "Data Source: Windows Security Event Logs",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "query"
13
14query = '''
15event.category:iam and event.code:"4674" and
16winlog.event_data.PrivilegeList:"SeIncreaseBasePriorityPrivilege" and event.outcome:"success" and
17winlog.event_data.AccessMask:"512" and not winlog.event_data.SubjectUserSid:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
18'''
19
20
21[[rule.threat]]
22framework = "MITRE ATT&CK"
23[[rule.threat.technique]]
24id = "T1134"
25name = "Access Token Manipulation"
26reference = "https://attack.mitre.org/techniques/T1134/"
27
28
29[rule.threat.tactic]
30id = "TA0004"
31name = "Privilege Escalation"
32reference = "https://attack.mitre.org/tactics/TA0004/"