Detection rules › Elastic
SeDebugPrivilege Enabled by a Suspicious Process
Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134 Access Token Manipulation |
| Defense Evasion | T1134 Access Token Manipulation |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4703 | A user right was adjusted. |
Stages and Predicates
Stage 1: eql:any
not winlog.event_data.ProcessName:"?:\\Program Files (x86)\\*" and not winlog.event_data.SubjectUserSid:"S-1-5-18" and event.action:"Token Right Adjusted Events" and event.provider:"Microsoft-Windows-Security-Auditing" and winlog.event_data.EnabledPrivilegeList:"SeDebugPrivilege"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | SubjectUserSid | eq | S-1-5-18, S-1-5-19, S-1-5-20 |
| 2 | process_name | wildcard | ?:\Program Files (x86)\*, ?:\Program Files\*, ?:\Users\*\AppData\Local\Temp\*-*\DismHost.exe, ?:\Windows\System32\auditpol.exe, ?:\Windows\System32\cleanmgr.exe, ?:\Windows\System32\lsass.exe, ?:\Windows\System32\mmc.exe, ?:\Windows\System32\MRT.exe, ?:\Windows\System32\msiexec.exe, ?:\Windows\System32\sdiagnhost.exe, ?:\Windows\System32\ServerManager.exe, ?:\Windows\System32\taskhostw.exe, ?:\Windows\System32\wbem\WmiPrvSe.exe, ?:\Windows\System32\WerFault.exe, ?:\Windows\SysWOW64\msiexec.exe, ?:\Windows\SysWOW64\wbem\WmiPrvSe.exe, ?:\Windows\SysWOW64\WerFault.exe, ?:\Windows\WinSxS\* |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event.action | wildcard |
|
event.provider | wildcard |
|
winlog.event_data.EnabledPrivilegeList | wildcard |
|