Event ID 4673 — A privileged service was called.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Privilege Use → Sensitive Privilege Use
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

A privileged service was called.

Message #

A privileged service was called.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Service:
	Server: %5
	Service Name: %6

Process:
	Process ID: %8
	Process Name: %9

Service Request Information:
	Privileges: %7

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`ObjectServer` UnicodeString	[Service] Server.
`Service` UnicodeString	[Service] Service Name.
`PrivilegeList` UnicodeString	[Service Request Information] Privileges. Privilege constants reference
`ProcessId` Pointer	[Process] Process ID.
`ProcessName` UnicodeString	[Process] Process Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4673,
    "version": 0,
    "level": 0,
    "task": 13056,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2023-11-06T02:04:44.872475+00:00",
    "event_record_id": 315408,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 9496
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserName": "User",
    "SubjectDomainName": "WINDEV2310EVAL",
    "SubjectLogonId": "0x27844",
    "ObjectServer": "Security",
    "Service": "-",
    "PrivilegeList": "SeProfileSingleProcessPrivilege",
    "ProcessId": "0x33f0",
    "ProcessName": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"
  },
  "message": ""
}

Community Notes #

Logs use of SeDebugPrivilege (often precedes scraping memory), SeTcbPrivilege.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' source high: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Potential Privileged System Service Operation - SeLoadDriverPrivilege source medium: Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4673
Example event sourced from https://github.com/NextronSystems/evtx-baseline