
Summary
The detection rule 'Suspicious SeIncreaseBasePriorityPrivilege Use' is designed to identify attempts by unusual processes to exploit the SeIncreaseBasePriorityPrivilege privilege on Windows systems. This privilege can be manipulated to increase the CPU scheduling priority of a process, potentially allowing malicious actors to hijack execution flows and disrupt legitimate operations. The rule utilizes a query to monitor and capture relevant Windows Security Event Logs, specifically targeting Event ID 4674, which indicates an attempted operation on a privileged object. By focusing on specific conditions, such as success outcomes and unique privilege usage, the rule aids security teams in detecting abnormal activities indicative of privilege escalation attempts. Additionally, the proposed investigation and response strategies emphasize isolating affected machines and carrying out thorough analyses to confirm the legitimacy of detected events.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Windows Registry
- Application Log
- Logon Session
ATT&CK Techniques
- T1134
Created: 2025-09-25