detection.wiki

Microsoft-Windows-Security-Auditing › Event 4672

Event ID 4672 — Special privileges assigned to new logon.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Logon/Logoff → Special Logon
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

Special privileges assigned to new logon.

Message #

Special privileges assigned to new logon.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Privileges: %5

Fields #

NameDescription
SubjectUserSid SID[Subject] Security ID.
SubjectUserName UnicodeString[Subject] Account Name.
SubjectDomainName UnicodeString[Subject] Account Domain.
SubjectLogonId HexInt64[Subject] Logon ID.
PrivilegeList UnicodeString[Subject] Privileges. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4672,
    "version": 0,
    "level": 0,
    "task": 12548,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T06:25:52.440990+00:00",
    "event_record_id": 2949,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 856
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "SYSTEM",
    "SubjectDomainName": "NT AUTHORITY",
    "SubjectLogonId": "0x3e7",
    "PrivilegeList": "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege\r\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
  },
  "message": ""
}

Detection Patterns #

Community Notes #

Detects Administrator or SYSTEM-equivalent sessions at logon time.

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows Special Privileged Logon On Multiple Hosts source: The following analytic detects a user authenticating with special privileges on 30 or more remote endpoints within a 5-minute window. It leverages Event ID 4672 from Windows Security logs to identify this behavior. This activity is significant as it may indicate lateral movement or remote code execution by an adversary. If confirmed malicious, the attacker could gain extensive control over the network, potentially leading to privilege escalation, data exfiltration, or further compromise of the environment. Security teams should adjust detection thresholds based on their specific environment.

References #