EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4672T1078

Event ID 4672 — Special Privileges Assigned to New Logon

Event ID 4672 is logged whenever an account logs on with sensitive or special privileges such as SeDebugPrivilege, SeImpersonatePrivilege, or SeTakeOwnershipPrivilege. It fires for every privileged logon, including administrators and service accounts.

MITRE ATT&CK

Technique

T1078 · Valid Accounts

Tactic

Privilege Escalation

View on attack.mitre.org →

Security Relevance

Attackers who gain access to privileged accounts will trigger 4672 events. While this event is noisy in environments with many admins, unexpected accounts appearing in 4672 logs — especially after a credential attack — indicate privilege escalation or lateral movement. It's also a key indicator of pass-the-hash and token impersonation attacks.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4672
Level:     Information

Special privileges assigned to new logon.

Subject:
  Security ID:   CORP\svc-backup
  Account Name:  svc-backup
  Account Domain: CORP
  Logon ID:      0x4F3A1

Privileges:     SeSecurityPrivilege
                SeBackupPrivilege
                SeRestorePrivilege
                SeTakeOwnershipPrivilege
                SeDebugPrivilege

Investigation Steps

  1. 1.Check the account — is this a known admin or service account? Unexpected accounts are the red flag, not the event itself.
  2. 2.Cross-reference the Logon ID with Event ID 4624 to see how the session was established (interactive, network, remote).
  3. 3.Note which privileges were assigned — SeDebugPrivilege and SeTakeOwnershipPrivilege are the most dangerous.
  4. 4.Look for 4672 events from service accounts that should never log on interactively.
  5. 5.Check the time — privileged logons outside business hours or during incidents deserve immediate attention.
  6. 6.Look for clusters of 4672 events from a single account in a short time — this may indicate credential reuse across systems.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Apply least-privilege — accounts should only hold the privileges they need for their specific function.
  • Separate admin accounts from daily-use accounts — admins should use a dedicated privileged account.
  • Enable Privileged Access Workstations (PAWs) for sensitive admin tasks.
  • Review and trim group memberships regularly — remove stale admins.
  • Alert on 4672 for service accounts or non-admin accounts — these should never appear.
  • Implement JIT (Just-in-Time) access for privileged roles to reduce permanent membership.

Related Event IDs

4624Successful logon — the session that received these privileges
4625Failed logon — check for failed attempts before the privileged logon
4728User added to global group — may precede privilege escalation
4794DSRM password change — often preceded by 4672 with SeDebugPrivilege

Related Detection Guides

Privilege EscalationDetect Pass-the-HashDetect MimikatzDCSync AttackLateral MovementCredential DumpingEvent ID 4794 — DSRM Account Password Change

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →