Suspicious SeIncreaseBasePriorityPrivilege Use

  1[metadata]
  2creation_date = "2025/09/25"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to
 11hijack execution flow of a process via threats priority manipulation.
 12"""
 13from = "now-9m"
 14index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Suspicious SeIncreaseBasePriorityPrivilege Use"
 18references = [
 19    "https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main",
 20    "https://x.com/sixtyvividtails/status/1970721197617717483",
 21    "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4674"
 22]
 23risk_score = 73
 24rule_id = "6fa0f15b-1926-419b-8de2-fce1429797ba"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Privilege Escalation",
 31    "Data Source: Windows Security Event Logs",
 32    "Resources: Investigation Guide",
 33]
 34timestamp_override = "event.ingested"
 35type = "query"
 36
 37query = '''
 38event.category:iam and host.os.type:"windows" and event.code:"4674" and
 39winlog.event_data.PrivilegeList:"SeIncreaseBasePriorityPrivilege" and event.outcome:"success" and
 40winlog.event_data.AccessMask:"512" and not winlog.event_data.SubjectUserSid:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
 41'''
 42
 43note = """## Triage and analysis
 44
 45### Investigating Suspicious SeIncreaseBasePriorityPrivilege Use
 46
 47#### Possible investigation steps
 48
 49- What priority-change path did 4674 preserve?
 50  - Why: this privilege manipulates process or thread priority; the target object matters as much as the requester.
 51  - Focus: Security 4674 on `host.id`: `winlog.event_data.PrivilegeList`, `winlog.event_data.AccessMask`, `winlog.event_data.ProcessName`, `winlog.event_data.ObjectType`, and `winlog.event_data.ObjectName`.
 52  - Hint: sparse or numeric-only `winlog.event_data.ObjectName` is the main visibility gap; keep the target unresolved and use same-session Security records, not assumed self-tuning.
 53  - Implication: escalate when the object is a "Process" or "Thread" tied to security tooling, LSASS, or another user's workload; lower suspicion only when requester, object, and `host.name` fit bounded tuning or testing.
 54
 55- Is the requesting image path expected for priority control on this host?
 56  - Focus: `winlog.event_data.ProcessName`, `winlog.event_data.ProcessId`, `winlog.event_data.SubjectUserSid`, `host.name`, and `@timestamp`.
 57  - Hint: `winlog.event_data.ProcessId` is hexadecimal; use it only inside a tight host/time window; PID reuse can mislead.
 58  - Implication: escalate when the path is user-writable, temporary, renamed, or unrelated to local tuning; treat a recurring full path and SID as identity support, not closure, until object and session evidence align.
 59
 60- Which subject and local session requested this privilege use?
 61  - Focus: `winlog.event_data.SubjectUserSid`, `winlog.event_data.SubjectUserName`, `winlog.event_data.SubjectDomainName`, and `winlog.event_data.SubjectLogonId`.
 62  - Implication: escalate when a normal user, rare admin, machine account, or service account lacks a clear scheduling-priority role; matching SID, domain, and session support benignity only with matching requester and object evidence.
 63
 64- Does the 4624 session origin fit a priority-tuning operator?
 65  - Focus: on the same `host.id`, match alert `winlog.event_data.SubjectLogonId` to 4624 `winlog.event_data.TargetLogonId`, then read `source.ip`, `winlog.logon.type`, and `winlog.event_data.AuthenticationPackageName`.
 66  - Hint: query `event.code` 4624 with alert `host.id` and `winlog.event_data.TargetLogonId`; search backward from `@timestamp` because the session can predate 4674. $investigate_0 Missing 4624 or empty `source.ip` is unresolved, not benign.
 67  - Implication: escalate when source, logon type, or authentication method is rare for `host.name` or subject SID; matching origin supports authorized tuning only after requester path and target object fit.
 68
 69- Do surrounding Security records show repeated or multi-target priority use by the same requester?
 70  - Focus: Security events around `@timestamp` on the same `host.id`, grouped by `winlog.event_data.SubjectLogonId`, `winlog.event_data.ProcessId`, `winlog.event_data.ProcessName`, and `winlog.event_data.ObjectName`.
 71  - Hint: start in the alert window with `event.code` 4674 and alert `winlog.event_data.SubjectLogonId`; expand only if the same session continues around `@timestamp`. Add `event.outcome` to separate failed attempts from successful use. $investigate_1
 72  - Implication: escalate when one session or requester touches multiple process/thread objects, repeats against security targets, or continues after failures; a single 4674 keeps scope local but still requires requester, object, and session answers for closure.
 73
 74- If local evidence is suspicious or unresolved, do related alerts expand scope or urgency?
 75  - Focus: related alerts for the same `host.id`, prioritizing privilege abuse, defense evasion, security-tool interference, service-control, or authentication findings. $investigate_2
 76  - Hint: if the subject remains suspicious, use the subject pivot; use the `user.id` provider only after confirming it maps to `winlog.event_data.SubjectUserSid`. $investigate_3
 77  - Implication: broaden scope when the host or user also shows privilege escalation, defense evasion, or unusual authentication; keep scope local when related alerts are absent and 4674/session evidence supports bounded work.
 78
 79- Escalate for unauthorized process/thread priority manipulation or security-tool interference; close only when object, requester, subject, session, and related alerts bind to one authorized tuning or troubleshooting workflow; preserve 4674 and recovered 4624 evidence and escalate when sparse object or session evidence leaves suspicious findings unresolved.
 80
 81### False positive analysis
 82
 83- Performance engineering, benchmark, QA, vendor, or internal support work can trigger when an administrator adjusts scheduling priority or CPU assignment for a test or latency-sensitive workload. Confirm only when `winlog.event_data.ProcessName`, `winlog.event_data.ObjectType`, `winlog.event_data.ObjectName`, `winlog.event_data.SubjectUserSid`, recovered `source.ip`, and `winlog.logon.type` align with the same recognized host, accounts, and workload. If records are unavailable, require telemetry-only recurrence of the same full requester path, SID, object family, and host class before treating as benign.
 84- If the target object is sparse or numeric-only, do not close solely on tool name or user claim.
 85- Before creating an exception, validate that `winlog.event_data.ProcessName`, `winlog.event_data.ObjectType`, `winlog.event_data.ObjectName`, `winlog.event_data.SubjectUserSid`, `host.id`, and recovered `source.ip` or `winlog.logon.type` stay stable across known-benign occurrences. Build the exception from that minimum confirmed pattern; avoid exceptions on `winlog.event_data.PrivilegeList` or `user.name` alone.
 86
 87### Response and remediation
 88
 89- If confirmed benign, reverse temporary containment and document the validated `winlog.event_data.ProcessName`, `winlog.event_data.ObjectType`, `winlog.event_data.ObjectName`, `winlog.event_data.SubjectUserSid`, recovered `source.ip`, `winlog.logon.type`, and `host.id` values proving the tuning or troubleshooting workflow. Create an exception only after the same pattern repeats benignly.
 90- If suspicious but unconfirmed, preserve a case export of triggering 4674, recovered 4624 session record, surrounding same-session Security records, and related-alert links before containment. Record requester path and PID, subject SID, target object, session origin, and event time as case anchors.
 91- If suspicious but unconfirmed, apply reversible containment first, such as restricting the subject's remote access, pausing the support workflow, or raising monitoring on `host.id`. Escalate to host isolation or account disablement only if the target maps to a security-critical process, related alerts show additional privilege abuse or defense evasion, or the recovered session suggests credential misuse.
 92- If confirmed malicious, isolate the host when the object, requester, session, or related-alert evidence shows unauthorized priority manipulation of a security-critical process or another user's workload. Record the requester path and PID, subject SID, target object, recovered session origin, and event time before stopping processes or deleting tooling.
 93- Reset or suspend the implicated account only when the recovered session and related alerts show likely credential misuse, and review other hosts for the same `winlog.event_data.ProcessName`, `winlog.event_data.ObjectName`, or `winlog.event_data.SubjectUserSid` before eradicating artifacts so scoping finishes before evidence is destroyed.
 94- Eradicate only the unauthorized tuning or interference tooling and any persistence or launcher artifacts identified during the investigation, then restore affected security or service configurations to a known-good state.
 95- Hardening: restrict assignment of "SeIncreaseBasePriorityPrivilege" to the smallest admin cohort, retain Security 4674 and 4624 visibility, and record visibility gaps that limited the case decision.
 96"""
 97
 98setup = """## Setup
 99
100Audit Sensitive Privilege Use must be enabled to generate the events used by this rule.
101Setup instructions: https://ela.st/audit-sensitive-privilege-use
102"""
103
104[rule.investigation_fields]
105field_names = [
106    "@timestamp",
107    "event.outcome",
108    "host.id",
109    "user.id",
110    "winlog.event_data.SubjectUserName",
111    "winlog.event_data.SubjectUserSid",
112    "winlog.event_data.SubjectLogonId",
113    "winlog.event_data.ProcessName",
114    "winlog.event_data.ProcessId",
115    "winlog.event_data.ObjectType",
116    "winlog.event_data.ObjectName",
117    "winlog.event_data.PrivilegeList",
118    "winlog.event_data.AccessMask",
119    "winlog.activity_id",
120]
121
122[transform]
123
124[[transform.investigate]]
125label = "Linked logon for the priority-change session"
126description = ""
127providers = [
128  [
129    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
130    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" },
131    { excluded = false, field = "winlog.event_data.TargetLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" }
132  ]
133]
134relativeFrom = "now-24h/h"
135relativeTo = "now"
136
137[[transform.investigate]]
138label = "4674 priority-use events from this requester session"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
143    { excluded = false, field = "event.code", queryType = "phrase", value = "4674", valueType = "string" },
144    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" },
145    { excluded = false, field = "winlog.event_data.ProcessId", queryType = "phrase", value = "{{winlog.event_data.ProcessId}}", valueType = "string" }
146  ],
147  [
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
149    { excluded = false, field = "event.code", queryType = "phrase", value = "4674", valueType = "string" },
150    { excluded = false, field = "winlog.event_data.SubjectLogonId", queryType = "phrase", value = "{{winlog.event_data.SubjectLogonId}}", valueType = "string" },
151    { excluded = false, field = "winlog.event_data.ProcessName", queryType = "phrase", value = "{{winlog.event_data.ProcessName}}", valueType = "string" }
152  ]
153]
154relativeFrom = "now-1h"
155relativeTo = "now"
156
157[[transform.investigate]]
158label = "Alerts associated with the host"
159description = ""
160providers = [
161  [
162    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
163    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
164  ]
165]
166relativeFrom = "now-48h/h"
167relativeTo = "now"
168
169[[transform.investigate]]
170label = "Alerts associated with the subject"
171description = ""
172providers = [
173  [
174    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
175    { excluded = false, field = "winlog.event_data.SubjectUserSid", queryType = "phrase", value = "{{winlog.event_data.SubjectUserSid}}", valueType = "string" }
176  ],
177  [
178    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
179    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
180  ]
181]
182relativeFrom = "now-48h/h"
183relativeTo = "now"
184
185[[rule.threat]]
186framework = "MITRE ATT&CK"
187
188[[rule.threat.technique]]
189id = "T1134"
190name = "Access Token Manipulation"
191reference = "https://attack.mitre.org/techniques/T1134/"
192
193[rule.threat.tactic]
194id = "TA0004"
195name = "Privilege Escalation"
196reference = "https://attack.mitre.org/tactics/TA0004/"