Query Details
Process Primary Token Elevated To Se Debug Priv
Query
# Process Primary Token Elevated to SeDebugPrivilege ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1134 | Access Token Manipulation | https://attack.mitre.org/techniques/T1134/ | #### Description This query detects when a process's primary token is modified to include `SeDebugPrivilege` (privilege bit 20). `SeDebugPrivilege` grants a process the ability to open and manipulate any other process on the system, regardless of its security descriptor. This privilege is routinely abused by attackers for credential dumping (e.g., accessing LSASS), process injection, and lateral movement. The query uses a bitmask comparison to identify exactly when this privilege is added to a token and enriches the result with file prevalence data to reduce false positives. #### Risk Granting `SeDebugPrivilege` to a process is a strong indicator of privilege escalation or credential theft activity. Tools like Mimikatz require this privilege to dump credentials from LSASS memory. ## Defender XDR ```KQL // Token elevated to SeDebugPriv let SeDebugPriv = binary_shift_left(1, 20); DeviceEvents | where Timestamp > ago(7d) | where ActionType == 'ProcessPrimaryTokenModified' | extend CurrentTokenPrivEnabled = tolong(parse_json(AdditionalFields).CurrentTokenPrivEnabled), OriginalTokenPrivEnabled = tolong(parse_json(AdditionalFields).OriginalTokenPrivEnabled) | extend PrivilegeDiff = binary_xor(OriginalTokenPrivEnabled, CurrentTokenPrivEnabled) | where PrivilegeDiff == SeDebugPriv | invoke FileProfile(InitiatingProcessSHA256) | project-reorder Timestamp, ActionType, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessFolderPath, GlobalPrevalence, GlobalFirstSeen, InitiatingProcessCommandLine ``` ## Sentinel ```KQL // Token elevated to SeDebugPriv let SeDebugPriv = binary_shift_left(1, 20); DeviceEvents | where TimeGenerated > ago(7d) | where ActionType == 'ProcessPrimaryTokenModified' | extend CurrentTokenPrivEnabled = tolong(parse_json(AdditionalFields).CurrentTokenPrivEnabled), OriginalTokenPrivEnabled = tolong(parse_json(AdditionalFields).OriginalTokenPrivEnabled) | extend PrivilegeDiff = binary_xor(OriginalTokenPrivEnabled, CurrentTokenPrivEnabled) | where PrivilegeDiff == SeDebugPriv | invoke FileProfile(InitiatingProcessSHA256) | project-reorder TimeGenerated, ActionType, InitiatingProcessFileName, InitiatingProcessSHA256, InitiatingProcessFolderPath, GlobalPrevalence, GlobalFirstSeen, InitiatingProcessCommandLine ```
Explanation
This query is designed to detect when a process on a computer system has its primary token modified to include a specific privilege called SeDebugPrivilege. This privilege allows a process to access and manipulate any other process on the system, which can be a sign of malicious activity such as privilege escalation or credential theft. Attackers often exploit this privilege to perform actions like dumping credentials from memory or injecting code into other processes.
The query works by:
- Defining the
SeDebugPrivilegeusing a bitmask. - Searching through device events from the past 7 days to find instances where a process's primary token was modified.
- Comparing the original and current privileges of the token to identify if the
SeDebugPrivilegewas added. - Enriching the results with file prevalence data to help reduce false positives, meaning it checks how common the initiating process file is globally.
- Presenting the results with details such as the timestamp, action type, file name, file hash, file path, global prevalence, first seen date, and command line used to initiate the process.
This query is useful for security monitoring and incident response, as it helps identify potential security threats related to unauthorized privilege escalation.
Details
Bert-Jan Pals
Released: March 8, 2026
Tables
DeviceEvents
Keywords
DeviceEventsProcessTokenPrivilegeFilePrevalence
Operators
letbinary_shift_leftagowhereextendtolongparse_jsonbinary_xorinvokeproject-reorder