Windows Event ID 4672: Special privileges assigned to new logon
Windows Security Event ID 4672 records assignment of sensitive privileges to a newly created logon session.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-10
Trigger Scenarios
The event is generated when a logon receives administrative privileges such as SeDebugPrivilege or SeTcbPrivilege.
Key Fields
Subject
The privileged identity and Logon ID. Use the Logon ID to join the event to its 4624 session.
Privilege List
The privileges assigned to the session. Their meaning depends on the account role and target system.
Logon ID
A session identifier used for correlation with logon, process, and object-access events.
Common False Positives
- Domain and local administrators create this event as part of normal operations.
- Service accounts on servers may require privileged rights by design.
Related Events
MITRE ATT&CK Mapping
- T1078Valid Accounts
- T1068Exploitation for Privilege Escalation
Detection Notes
Treat SeDebugPrivilege on a new Logon ID as T1078/T1068 triage, especially when 4688 shows procdump.exe or rundll32.exe accessing lsass.exe. Logon ID 0x3e7 is the standard LocalSystem session and is normally noisy; an interactive Type 10 session with SeDebugPrivilege is a stronger deviation.
SecurityEvent
| where EventID == 4672
| project TimeGenerated, Computer, Account, SubjectLogonId, PrivilegeList
| order by TimeGenerated descindex=wineventlog EventCode=4672
| table _time, host, SubjectUserName, SubjectLogonId, PrivilegeListSubject: Account Name: CORP\admin.ops
Logon ID: 0x3e7
Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege