EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4672Audit SuccessSecurityT1078

Windows Event ID 4672Special Privileges Assigned to New Logon

Logged immediately after a successful 4624 logon when the authenticated account holds one or more sensitive Windows privileges. Fires for Domain Admins, local Administrators, and any account with sensitive rights assigned via Group Policy. In large environments, Domain Controllers generate very high 4672 volume because privileged service accounts and admins authenticate constantly — effective detection requires a baseline, not raw volume alerting.

MITRE ATT&CK

Technique

T1078 · Valid Accounts

Tactic

Privilege Escalation

View on attack.mitre.org →

Why It Matters

4672 confirms that the account that just logged on (4624) actually received elevated capabilities, not just a standard user token. The specific privileges listed reveal the attack surface. Pass-the-hash attacks against privileged accounts always generate 4672 — the stolen hash belongs to a high-privilege account, so its logon comes with the full privilege set intact. SeDebugPrivilege allows reading and writing any process memory — if present on an account that shouldn't have it, the account has either been added to a privileged group or a privilege escalation exploit has succeeded. SeImpersonatePrivilege is the entry point for Potato-family local privilege escalation attacks.

Key Fields

Account NameThe account assigned elevated privileges — should match your known privileged account inventory
PrivilegesSpecific rights granted. Critical: SeDebugPrivilege (read/write any process memory — LSASS access); SeImpersonatePrivilege (token theft — Potato exploits); SeTcbPrivilege (act as part of the OS); SeLoadDriverPrivilege (load unsigned drivers). High-risk: SeBackupPrivilege and SeRestorePrivilege (bypass file and registry ACLs); SeAssignPrimaryTokenPrivilege (assign tokens to processes)
Logon IDUnique session identifier — links to the matching 4624 event for logon type, source IP, and authentication package
Subject Account DomainThe domain of the account — unexpected domains or WORKGROUP for domain-joined machines are red flags

Investigation Tips

  1. 1.SeDebugPrivilege on any non-SYSTEM, non-Domain-Admin account is a critical finding — it allows a process to attach to LSASS and extract credentials. This is one of the capabilities Mimikatz requires. Only built-in Administrators and SYSTEM should hold it in a hardened environment.
  2. 2.SeImpersonatePrivilege is expected on service accounts (IIS App Pool, SQL Server, network services) but dangerous on interactive or unexpected accounts. It is the enabler for Potato-family privilege escalation (PrintSpoofer, RoguePotato, etc.) — a low-privilege service account with this right can escalate to SYSTEM.
  3. 3.Pass-the-hash pivot: 4672 from a privileged account via NTLM Authentication Package (visible in the correlated 4624 Logon ID). Legitimate domain admin logons use Kerberos — NTLM for a Domain Admin to a server = pass-the-hash using a stolen hash.
  4. 4.Baseline which accounts trigger 4672 in your environment. Any account appearing in 4672 that is not in your privileged account inventory is a red flag — it may have been added to a privileged group (4728/4732) without authorization.
  5. 5.On Domain Controllers, 4672 volume is high by design. Filter for unexpected conditions: (1) Account Names not in your known admin list, (2) NTLM Authentication Package (pass-the-hash), (3) Logon Types 3 or 10 from external/unexpected IPs.
  6. 6.Correlate Logon ID with 4688 (process creation) to see what the elevated session actually executed. Legitimate admins run known tools; attackers run cmd.exe, powershell.exe, or custom binaries.

Related Event IDs

4624Logon event — 4672 fires immediately after 4624 for privileged accounts
4688Process creation — what the privileged session launched
4728Member added to privileged global group — may explain why the account now holds elevated privileges
4732Member added to local Administrators
4769Kerberos service ticket — privileged sessions from forged Golden Tickets trigger 4672

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4672

See Event ID 4672 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects special privileges assigned to new logon patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →