{
  "id": "4672",
  "source": "windows_security",
  "category": "Logon",
  "name": "Special privileges assigned to new logon",
  "priority": "P1",
  "applicable_version": "Windows Server 2008 R2 and later; Windows 7 and later",
  "last_reviewed": "2026-07-10",
  "definition": "Windows Security Event ID 4672 records assignment of sensitive privileges to a newly created logon session.",
  "trigger_scenarios": "The event is generated when a logon receives administrative privileges such as SeDebugPrivilege or SeTcbPrivilege.",
  "key_fields": [
    {
      "field": "Subject",
      "explanation": "The privileged identity and Logon ID. Use the Logon ID to join the event to its 4624 session."
    },
    {
      "field": "Privilege List",
      "explanation": "The privileges assigned to the session. Their meaning depends on the account role and target system."
    },
    {
      "field": "Logon ID",
      "explanation": "A session identifier used for correlation with logon, process, and object-access events."
    }
  ],
  "false_positives": [
    "Domain and local administrators create this event as part of normal operations.",
    "Service accounts on servers may require privileged rights by design."
  ],
  "related_event_ids": [
    "4624",
    "4688",
    "4648"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1078",
      "technique_name": "Valid Accounts"
    },
    {
      "technique_id": "T1068",
      "technique_name": "Exploitation for Privilege Escalation"
    }
  ],
  "detection_notes": "Treat SeDebugPrivilege on a new Logon ID as T1078/T1068 triage, especially when 4688 shows procdump.exe or rundll32.exe accessing lsass.exe. Logon ID 0x3e7 is the standard LocalSystem session and is normally noisy; an interactive Type 10 session with SeDebugPrivilege is a stronger deviation.",
  "kql_snippet": "SecurityEvent\n| where EventID == 4672\n| project TimeGenerated, Computer, Account, SubjectLogonId, PrivilegeList\n| order by TimeGenerated desc",
  "spl_snippet": "index=wineventlog EventCode=4672\n| table _time, host, SubjectUserName, SubjectLogonId, PrivilegeList",
  "sample_log": "Subject: Account Name: CORP\\admin.ops\nLogon ID: 0x3e7\nPrivileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege",
  "source_url": "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672",
  "route": "/windows-events/4672/",
  "canonical_url": "https://soceventlookup.com/windows-events/4672/",
  "json_url": "/api/events/windows-security/4672.json"
}
