SeDebugPrivilege Enabled by a Suspicious Process
Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/20"
3integration = ["windows", "system"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
13may create a new process with a different token to escalate privileges and bypass access controls.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "SeDebugPrivilege Enabled by a Suspicious Process"
20references = [
21 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703",
22 "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e",
23]
24risk_score = 47
25rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd"
26setup = """## Setup
27
28Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).
29
30Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Detailed Tracking > Token Right Adjusted Events (Success)
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"]
4timestamp_override = "event.ingested"
5type = "eql"
6
7query = '''
8any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and
9 event.action : "Token Right Adjusted Events" and
10
11 winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and
12
13 /* exclude processes with System Integrity */
14 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
15
16 not winlog.event_data.ProcessName :
17 ("?:\\Windows\\System32\\msiexec.exe",
18 "?:\\Windows\\SysWOW64\\msiexec.exe",
19 "?:\\Windows\\System32\\lsass.exe",
20 "?:\\Windows\\WinSxS\\*",
21 "?:\\Program Files\\*",
22 "?:\\Program Files (x86)\\*",
23 "?:\\Windows\\System32\\MRT.exe",
24 "?:\\Windows\\System32\\cleanmgr.exe",
25 "?:\\Windows\\System32\\taskhostw.exe",
26 "?:\\Windows\\System32\\mmc.exe",
27 "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
28 "?:\\Windows\\System32\\auditpol.exe",
29 "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
30 "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1134"
38name = "Access Token Manipulation"
39reference = "https://attack.mitre.org/techniques/T1134/"
40
41
42[rule.threat.tactic]
43id = "TA0004"
44name = "Privilege Escalation"
45reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
Read More
Related rules
- Access to a Sensitive LDAP Attribute
- Group Policy Abuse for Privilege Addition
- Interactive Logon by an Unusual Process
- Potential Credential Access via DCSync
- Potential Exploitation of an Unquoted Service Path Vulnerability