Event ID 4672: Special privileges assigned to new logon (Security)
What this Event ID actually records on disk, the EventData fields worth reading first, and where it sits in a DFIR triage workflow.
- Channel
- Security
- Provider
- Windows\Security
- Triage notes
- Fires when a logon gets SeDebugPrivilege, SeTcbPrivilege, etc. Useful filter for admin sessions.