4673 A privileged service was called
Written when a privileged system service operation is attempted. It captures the moment a strong right is actually used, but it is high-volume and needs tuning.
Overview
The subcategories are Audit Sensitive Privilege Use and Audit Non Sensitive Privilege Use. It is generated when privileges such as SeSystemtimePrivilege (change the time), SeCreateGlobalPrivilege, or SeTcbPrivilege (act as part of the OS) are used. A failed service call produces a Failure event.
How it is triggered
- When a privileged system service operation is performed.
- Which privilege was used appears in the
Privilegesfield.
Security review points
- Use of an extremely strong privilege such as
SeTcbPrivilegeis normally done only by a limited set of subjects. Use by an unexpected account suggests privilege escalation or abuse. - Combine with 4672 (special-privilege logon) to follow the flow of “a strong right was granted (4672) and then actually used (4673/4674).”
Notes for log review
- Enabling Sensitive Privilege Use produces a very large number of events. Watching the full volume continuously is impractical; monitor narrowed to specific privileges and accounts.
- Many privileges occur frequently in legitimate system activity. Narrow by the pairing of notable privilege (such as
SeDebugPrivilege) and subject.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that used the privilege |
Privileges | The privilege used |
Process Name | The calling process |