EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4673Audit SuccessSecurityT1134

Windows Event ID 4673Privileged Service Called

Logged when a process or user attempts to use a sensitive privilege such as SeDebugPrivilege, SeImpersonatePrivilege, or SeTakeOwnershipPrivilege. High-volume or unexpected 4673 events indicate privilege abuse.

MITRE ATT&CK

Technique

T1134 · Access Token Manipulation

Tactic

Privilege Escalation

View on attack.mitre.org →

Why It Matters

Certain privileges allow an attacker to bypass security controls, inject into processes, or take ownership of protected files. SeDebugPrivilege in particular is required for credential dumping tools like Mimikatz to read LSASS memory. A sudden surge of 4673 events from an unexpected process or account is a strong indicator of active exploitation.

Key Fields

PrivilegesThe sensitive privilege being requested (e.g. SeDebugPrivilege, SeImpersonatePrivilege, SeTakeOwnershipPrivilege)
Process NameThe executable requesting the privilege — unexpected processes here are the key IOC
Account NameThe user context — non-admin accounts requesting debug privileges should be investigated
ServiceThe service or subsystem being called

Investigation Tips

  1. 1.SeDebugPrivilege requests from non-system processes (e.g. cmd.exe, powershell.exe, unknown binaries) are high-risk — this privilege is required for LSASS memory access.
  2. 2.SeImpersonatePrivilege abuse is a common local privilege escalation technique (token impersonation, named pipe attacks) — check the process name and its parent.
  3. 3.Correlate with Event ID 4663 (object access) on lsass.exe — if 4673 precedes a 4663 on lsass.exe, credential dumping is likely in progress.
  4. 4.Check whether the requesting process is signed, where it lives on disk, and whether it is a known good binary.
  5. 5.High-volume 4673 events in a short window indicate automated tooling (e.g. Mimikatz, CobaltStrike) rather than a human interaction.

Seeing Event ID 4673 in your own logs? Upload an .evtx file — EventPeeker flags privileged service called automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4672Special privileges assigned at logon — broader privilege assignment event
4663Object access — LSASS access often follows SeDebugPrivilege use
4688Process creation — identify the parent of the process requesting privileges
4624Successful logon — establish the session context

Go deeper: the full Privilege Escalation — Gaining Admin and Domain Access guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Privilege Escalation — Gaining Admin and Domain Access guide

See Event ID 4673 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects privileged service called patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →