SeDebugPrivilege
What is SeDebugPrivilege?
SeDebugPrivilegeA powerful Windows user-right that lets a holder open, read, and modify the memory of any process — including LSASS — making it a prime target for attackers seeking credential theft.
SeDebugPrivilege is a Windows privilege defined in Local Security Authority that, when held by a process token, allows opening any process or thread (including those owned by SYSTEM) with PROCESS_ALL_ACCESS. By default it is granted only to the local Administrators group and to processes running as SYSTEM, and Microsoft documents it as effectively equivalent to administrator on the host. Tools such as Mimikatz, ProcDump (for LSASS dumping), and EDR products require this privilege to perform memory introspection. Attackers love it: with SeDebugPrivilege they can dump LSASS, hijack tokens, inject into protected processes, and disable security tooling. Defenders monitor token-adjustment events 4673/4703 in the Windows Security log, use Credential Guard, and remove the right via Group Policy.
● Examples
- 01
An adversary enabling SeDebugPrivilege on a Mimikatz process and running sekurlsa::logonpasswords to dump LSASS.
- 02
ProcDump used with -ma to capture an LSASS memory dump for offline credential extraction.
● Frequently asked questions
What is SeDebugPrivilege?
A powerful Windows user-right that lets a holder open, read, and modify the memory of any process — including LSASS — making it a prime target for attackers seeking credential theft. It belongs to the Identity & Access category of cybersecurity.
What does SeDebugPrivilege mean?
A powerful Windows user-right that lets a holder open, read, and modify the memory of any process — including LSASS — making it a prime target for attackers seeking credential theft.
How does SeDebugPrivilege work?
SeDebugPrivilege is a Windows privilege defined in Local Security Authority that, when held by a process token, allows opening any process or thread (including those owned by SYSTEM) with PROCESS_ALL_ACCESS. By default it is granted only to the local Administrators group and to processes running as SYSTEM, and Microsoft documents it as effectively equivalent to administrator on the host. Tools such as Mimikatz, ProcDump (for LSASS dumping), and EDR products require this privilege to perform memory introspection. Attackers love it: with SeDebugPrivilege they can dump LSASS, hijack tokens, inject into protected processes, and disable security tooling. Defenders monitor token-adjustment events 4673/4703 in the Windows Security log, use Credential Guard, and remove the right via Group Policy.
How do you defend against SeDebugPrivilege?
Defences for SeDebugPrivilege typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SeDebugPrivilege?
Common alternative names include: SeDebug, Debug programs right.
● Related terms
- identity-access№ 1162
Token Impersonation
A Windows privilege-escalation technique (MITRE ATT&CK T1134) where an attacker duplicates an existing access token and uses it to run code in another user's security context.
- identity-access№ 1194
User Account Control (UAC)
A Windows security feature introduced in Vista that runs interactive sessions with a limited token and prompts for consent or credentials before an administrative action elevates.
- vulnerabilities№ 860
Privilege Escalation
A class of vulnerabilities that lets an attacker gain rights beyond those originally granted, such as moving from a normal user to administrator.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.