SOC Event Lookup
Event ID 4672LogonP1

Windows Event ID 4672: Special privileges assigned to new logon

Windows Security Event ID 4672 records assignment of sensitive privileges to a newly created logon session.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-10

Trigger Scenarios

The event is generated when a logon receives administrative privileges such as SeDebugPrivilege or SeTcbPrivilege.

Key Fields

Subject

The privileged identity and Logon ID. Use the Logon ID to join the event to its 4624 session.

Privilege List

The privileges assigned to the session. Their meaning depends on the account role and target system.

Logon ID

A session identifier used for correlation with logon, process, and object-access events.

Common False Positives

  • Domain and local administrators create this event as part of normal operations.
  • Service accounts on servers may require privileged rights by design.

Related Events

MITRE ATT&CK Mapping

  • T1078Valid Accounts
  • T1068Exploitation for Privilege Escalation

Detection Notes

Treat SeDebugPrivilege on a new Logon ID as T1078/T1068 triage, especially when 4688 shows procdump.exe or rundll32.exe accessing lsass.exe. Logon ID 0x3e7 is the standard LocalSystem session and is normally noisy; an interactive Type 10 session with SeDebugPrivilege is a stronger deviation.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4672
| project TimeGenerated, Computer, Account, SubjectLogonId, PrivilegeList
| order by TimeGenerated desc
Splunk SPL
index=wineventlog EventCode=4672
| table _time, host, SubjectUserName, SubjectLogonId, PrivilegeList
Sample Log
Subject: Account Name: CORP\admin.ops
Logon ID: 0x3e7
Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege

Source