Skip to content

4672 Special privileges assigned to new logon

Written when sensitive privileges (strong, administrator-level rights) are assigned to a logon session. Paired with 4624, it is a key event indicating that “a logon with administrator privileges occurred.”

Overview

The subcategory is Audit Special Logon. It is generated when a new logon is granted any of several sensitive privileges, such as SeDebugPrivilege (debug programs, i.e. manipulate other processes’ memory), SeBackupPrivilege / SeRestorePrivilege (back up and restore), SeTcbPrivilege (act as part of the OS), SeImpersonatePrivilege (impersonate a client), SeLoadDriverPrivilege (load drivers), and SeTakeOwnershipPrivilege (take ownership). It also fires on every SYSTEM logon, so the count is high.

How it is triggered

  • When an administrator-level account or SYSTEM performs a new logon and is granted sensitive privileges.
  • It ties to 4624 via the same Logon ID.

Security review points

  • It is the starting point for catching “logon with administrator rights.” If 4672 appears for a Subject\Security ID other than SYSTEM, it means an administrator-level session was started. Use it to monitor high-privilege account usage.
  • Among the granted privileges, SeDebugPrivilege (abused for credential dumping and reading LSASS memory) and SeImpersonatePrivilege (abused in “potato” privilege-escalation techniques) are especially notable.
  • If 4672 appears for an account that should be an ordinary user, suspect privilege escalation or misconfiguration. Combine with 4624 to track when and from where administrator logons occur.

Notes for log review

  • A flood of 4672 from SYSTEM is normal noise. Narrowing to “Subject is not SYSTEM” makes the investigation scope practical.
  • Baseline which accounts log on with which privileges from which hosts, and watch for deviations (such as occurring on a host that normally has no administrator logons).

Key fields

FieldMeaning
Subject\Account NameThe account assigned the privileges; non-SYSTEM is the focus
PrivilegesThe list of sensitive privileges granted
Logon IDThe key for matching with 4624

Glossary

  • SeDebugPrivilege — a powerful privilege allowing access to other processes’ memory. It is abused for credential theft.

References