#privilege-monitoring

Windows Event ID 5377 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 5377 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted during authentication.

Windows Event ID 4793 – Microsoft-Windows-Security-Auditing: An attempt was made to call a privileged service

Event ID 4793 logs when a process attempts to call a privileged service operation. This security audit event tracks service privilege usage for compliance monitoring and security analysis.

Windows Event ID 4699 – Security: A Token Right Was Adjusted

Event ID 4699 logs when Windows adjusts user or process token privileges, typically during privilege escalation or security context changes. Critical for security auditing and privilege monitoring.

Windows Event ID 4674 – Security: Privileged Object Operation Attempted

Event ID 4674 logs when a user or process attempts to perform a privileged operation on a protected object, providing detailed audit information for security monitoring and compliance tracking.

Windows Event ID 4672 – Security: Special Privileges Assigned to New Logon

Event ID 4672 fires when Windows assigns special privileges to a new user logon session, indicating elevated access rights have been granted to an account.