Detection rules › Splunk
Windows Access Token Manipulation SeDebugPrivilege
The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1134.002 Access Token Manipulation: Create Process with Token |
| Defense Evasion | T1134.002 Access Token Manipulation: Create Process with Token |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4703 | A user right was adjusted. |
Stages and Predicates
Stage 1: search
search NOT ProcessName IN ("*\\Program File*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\lsass.exe*", "*\\System32\\svchost.exe*") EnabledPrivilegeList="*SeDebugPrivilege*" EventCode=4703
Stage 2: stats
stats BY Computer, ProcessName, ProcessId, SubjectDomainName, SubjectUserName, SubjectUserSid, TargetUserName, TargetLogonId, TargetDomainName, EnabledPrivilegeList, action, dest
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | process_name | in | "*\\Program File*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\lsass.exe*", "*\\System32\\svchost.exe*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EnabledPrivilegeList | eq |
|
EventCode | eq |
|