Techniques
Sample rules
Windows Access Token Manipulation SeDebugPrivilege
- source: splunk
- technicques:
- T1134.002
- T1134
Description
The following analytic identifies a suspicious process enabling the “SeDebugPrivilege” privilege token. SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern. SeDebugPrivilege allows the token bearer to access any process or thread, regardless of security descriptors, per Palantir. This technique is abused by adversaries to gain debug privileges with their malicious software to be able to access or debug a process to dump credentials or to inject malicious code.
Detection logic
`wineventlog_security` EventCode=4703 EnabledPrivilegeList = "*SeDebugPrivilege*" AND NOT(ProcessName IN ("*\\Program File*", "*\\System32\\lsass.exe*", "*\\SysWOW64\\lsass.exe*", "*\\SysWOW64\\svchost.exe*", "*\\System32\\svchost.exe*"))
| stats count min(_time) as firstTime max(_time) as lastTime by Computer ProcessName ProcessId SubjectDomainName SubjectUserName SubjectUserSid TargetUserName TargetLogonId TargetDomainName EnabledPrivilegeList action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_access_token_manipulation_sedebugprivilege_filter`