kqlElastic-2.0from elastic/detection-rules
Suspicious SeIncreaseBasePriorityPrivilege Use
Quality
92
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/privilege_escalation_thread_cpu_priority_hijack.toml
event.category:iam and host.os.type:"windows" and event.code:"4674" and
winlog.event_data.PrivilegeList:"SeIncreaseBasePriorityPrivilege" and event.outcome:"success" and
winlog.event_data.AccessMask:"512" and not winlog.event_data.SubjectUserSid:("S-1-5-18" or "S-1-5-19" or "S-1-5-20")