Process Primary Token Elevated to SeDebugPrivilege
Process Primary Token Elevated To Se Debug Priv
Query
// Token elevated to SeDebugPriv
let SeDebugPriv = binary_shift_left(1, 20);
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == 'ProcessPrimaryTokenModified'
| extend CurrentTokenPrivEnabled = tolong(parse_json(AdditionalFields).CurrentTokenPrivEnabled), OriginalTokenPrivEnabled = tolong(parse_json(AdditionalFields).OriginalTokenPrivEnabled)
| extend PrivilegeDiff = binary_xor(OriginalTokenPrivEnabled, CurrentTokenPrivEnabled)
| where PrivilegeDiff == SeDebugPriv
| invoke FileProfile(InitiatingProcessSHA256)
| project-reorder Timestamp, ActionType, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessFolderPath, GlobalPrevalence, GlobalFirstSeen, InitiatingProcessCommandLineAbout this query
Explanation
This query is designed to detect when a process on a computer system has its primary token modified to include a specific privilege called SeDebugPrivilege. This privilege allows a process to access and manipulate any other process on the system, which can be a sign of malicious activity such as privilege escalation or credential theft. Attackers often exploit this privilege to perform actions like dumping credentials from memory or injecting code into other processes.
The query works by:
- Defining the
SeDebugPrivilegeusing a bitmask. - Searching through device events from the past 7 days to find instances where a process's primary token was modified.
- Comparing the original and current privileges of the token to identify if the
SeDebugPrivilegewas added. - Enriching the results with file prevalence data to help reduce false positives, meaning it checks how common the initiating process file is globally.
- Presenting the results with details such as the timestamp, action type, file name, file hash, file path, global prevalence, first seen date, and command line used to initiate the process.
This query is useful for security monitoring and incident response, as it helps identify potential security threats related to unauthorized privilege escalation.
