Event ID 4674 — An operation was attempted on a privileged object.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Privilege Use → Sensitive Privilege Use
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

An operation was attempted on a privileged object.

Message #

An operation was attempted on a privileged object.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Object Handle: %8

Process Information:
	Process ID: %11
	Process Name: %12

Requested Operation:
	Desired Access: %9
	Privileges: %10

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`ObjectServer` UnicodeString	[Object] Object Server.
`ObjectType` UnicodeString	[Object] Object Type.
`ObjectName` UnicodeString	[Object] Object Name.
`HandleId` Pointer	[Object] Object Handle.
`AccessMask` UnicodeString	[Requested Operation] Desired Access. Access mask reference
`PrivilegeList` UnicodeString	[Requested Operation] Privileges. Privilege constants reference
`ProcessId` Pointer	[Process Information] Process ID.
`ProcessName` UnicodeString	[Process Information] Process Name.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4674,
    "version": 0,
    "level": 0,
    "task": 13056,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-06T01:39:25.936087+00:00",
    "event_record_id": 273230,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 17676
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1992711665-1655669231-58201500-1000",
    "SubjectUserName": "User",
    "SubjectDomainName": "WINDEV2310EVAL",
    "SubjectLogonId": "0x277c6",
    "ObjectServer": "Security",
    "ObjectType": "-",
    "ObjectName": "-",
    "HandleId": "0xfffffffffffffffc",
    "AccessMask": "1024",
    "PrivilegeList": "SeIncreaseBasePriorityPrivilege",
    "ProcessId": "0x39dc",
    "ProcessName": "C:\\Program Files\\WindowsApps\\Microsoft.SysinternalsSuite_2023.10.0.0_x64__8wekyb3d8bbwe\\Tools\\Procmon.exe"
  },
  "message": ""
}

Community Notes #

Logs direct interaction with objects that require SeSecurity/SeTakeOwnership, ie SAM hives.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

SCM Database Privileged Operation source medium: Detects non-system users performing privileged operation os the SCM database

Elastic # view in reference

Suspicious SeIncreaseBasePriorityPrivilege Use source high: Identifies attempts to use the SeIncreaseBasePriorityPrivilege privilege by an unusual process. This could be related to hijack execution flow of a process via threats priority manipulation.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4674
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sensitive-privilege-use
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4674
Example event sourced from https://github.com/NextronSystems/evtx-baseline