SeDebugPrivilege Escalation

Enabling SeDebugPrivilege on the current process token grants access to any process on the system, bypassing standard DACL checks. Malware enables this privilege before injecting into or reading memory from protected processes (e.g., lsass.exe, EDR agents, browsers).

Detection / Fingerprint

• OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
• LookupPrivilegeValueW(NULL, L"SeDebugPrivilege", &luid)
• AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL) with SE_PRIVILEGE_ENABLED

Implementation Patterns

SilverFox duplicates this logic in two helper functions (FUN_1400038c0 and FUN_140003f80), suggesting either linker duplication or deliberate redundancy^[ghidra:FUN_1400038c0, ghidra:FUN_140003f80].

Typical sequence:

HANDLE hToken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

LUID luid;
LookupPrivilegeValueW(NULL, L"SeDebugPrivilege", &luid);

TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

Reproduce on Your Own VMs

Compile the snippet above with MSVC (cl /EHsc repro.c), run under a non-admin account. AdjustTokenPrivileges will return success but the privilege will not be actually enabled unless the account holds the privilege in its token. Verify with whoami /priv.

Defensive Countermeasures

• ETW: Microsoft-Windows-Security-Auditing Event ID 4703 (token privilege adjustment)
• Sysmon: Event ID 10 (ProcessAccess) with SeDebugPrivilege-enabled source process
• Hunt: processes enabling SeDebugPrivilege that are not known debuggers (Visual Studio, WinDbg, etc.)