Query Details

Process Primary Token Elevated to SeDebugPrivilege

Process Primary Token Elevated To Se Debug Priv

Query

// Token elevated to SeDebugPriv
let SeDebugPriv = binary_shift_left(1, 20);
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == 'ProcessPrimaryTokenModified'
| extend CurrentTokenPrivEnabled = tolong(parse_json(AdditionalFields).CurrentTokenPrivEnabled), OriginalTokenPrivEnabled = tolong(parse_json(AdditionalFields).OriginalTokenPrivEnabled)
| extend PrivilegeDiff = binary_xor(OriginalTokenPrivEnabled, CurrentTokenPrivEnabled)
| where PrivilegeDiff == SeDebugPriv
| invoke FileProfile(InitiatingProcessSHA256)
| project-reorder Timestamp, ActionType, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessFolderPath, GlobalPrevalence, GlobalFirstSeen, InitiatingProcessCommandLine

About this query

Explanation

This query is designed to detect when a process on a computer system has its primary token modified to include a specific privilege called SeDebugPrivilege. This privilege allows a process to access and manipulate any other process on the system, which can be a sign of malicious activity such as privilege escalation or credential theft. Attackers often exploit this privilege to perform actions like dumping credentials from memory or injecting code into other processes.

The query works by:

  1. Defining the SeDebugPrivilege using a bitmask.
  2. Searching through device events from the past 7 days to find instances where a process's primary token was modified.
  3. Comparing the original and current privileges of the token to identify if the SeDebugPrivilege was added.
  4. Enriching the results with file prevalence data to help reduce false positives, meaning it checks how common the initiating process file is globally.
  5. Presenting the results with details such as the timestamp, action type, file name, file hash, file path, global prevalence, first seen date, and command line used to initiate the process.

This query is useful for security monitoring and incident response, as it helps identify potential security threats related to unauthorized privilege escalation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: March 8, 2026

Tables

DeviceEvents

Keywords

DeviceEventsProcessTokenPrivilegeFilePrevalence

Operators

letbinary_shift_leftagowhereextendtolongparse_jsonbinary_xorinvokeproject-reorder

MITRE Techniques

Actions

GitHub