4674 An operation was attempted on a privileged object
Written when a privileged operation is attempted on an already-opened protected object. It is one of the events that captures the actual use of a strong right.
Overview
The subcategories are Audit Sensitive Privilege Use and Audit Non Sensitive Privilege Use. It is generated when a privileged operation is performed on an already-opened protected subsystem object. Typical cases are use of SeShutdownPrivilege (shutdown), SeRemoteShutdownPrivilege (remote shutdown), or SeSecurityPrivilege (manage auditing and the security log). A failed operation produces a Failure event.
How it is triggered
- A privileged operation on an opened object (shutdown, manipulating the security log, and so on).
- The privilege used appears in the
Privilegesfield.
Security review points
- Use of
SeSecurityPrivilegerelates to manipulating the security log (clearing it, and so on), so note it in the context of evidence concealment. Read it together with the log clear 1102. - Exercising remote-shutdown privilege can be disruption aimed at availability. Investigate use by an unexpected subject.
Notes for log review
- Like 4673, enabling it yields a high volume. Narrow by notable privilege and subject.
- It also appears in legitimate system operations (such as shutdown). Confirm who used which privilege in the expected context.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that performed the operation |
Privileges | The privilege used |
Process Name | The originating process |