SeDebugPrivilege Enabled by a Suspicious Process
Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/10/20"
3integration = ["windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries
11may create a new process with a different token to escalate privileges and bypass access controls.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-windows.*", "logs-system.security*"]
15language = "eql"
16license = "Elastic License v2"
17name = "SeDebugPrivilege Enabled by a Suspicious Process"
18references = [
19 "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703",
20 "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e",
21]
22risk_score = 47
23rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd"
24setup = """## Setup
25
26Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).
27
28Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > Detailed Tracking > Token Right Adjusted Events (Success)
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
4timestamp_override = "event.ingested"
5type = "eql"
6
7query = '''
8any where host.os.type == "windows" and event.provider: "Microsoft-Windows-Security-Auditing" and
9 event.action : "Token Right Adjusted Events" and
10
11 winlog.event_data.EnabledPrivilegeList : "SeDebugPrivilege" and
12
13 /* exclude processes with System Integrity */
14 not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
15
16 not winlog.event_data.ProcessName :
17 ("?:\\Windows\\System32\\msiexec.exe",
18 "?:\\Windows\\SysWOW64\\msiexec.exe",
19 "?:\\Windows\\System32\\lsass.exe",
20 "?:\\Windows\\WinSxS\\*",
21 "?:\\Program Files\\*",
22 "?:\\Program Files (x86)\\*",
23 "?:\\Windows\\System32\\MRT.exe",
24 "?:\\Windows\\System32\\cleanmgr.exe",
25 "?:\\Windows\\System32\\taskhostw.exe",
26 "?:\\Windows\\System32\\mmc.exe",
27 "?:\\Users\\*\\AppData\\Local\\Temp\\*-*\\DismHost.exe",
28 "?:\\Windows\\System32\\auditpol.exe",
29 "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe",
30 "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSe.exe")
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1134"
38name = "Access Token Manipulation"
39reference = "https://attack.mitre.org/techniques/T1134/"
40
41
42[rule.threat.tactic]
43id = "TA0004"
44name = "Privilege Escalation"
45reference = "https://attack.mitre.org/tactics/TA0004/"
References
-
Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
Read More -
Privileges are an important native security control in Windows. As the name suggests, privileges grant rights for accounts to perform…
Read More
Related rules
- Account Discovery Command via SYSTEM Account
- Component Object Model Hijacking
- Conhost Spawned By Suspicious Parent Process
- Disabling User Account Control via Registry Modification
- Expired or Revoked Driver Loaded