This note documents detection patterns related to Privilege Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4672 | Special privileges assigned to new logon | Critical | Core indicator that sensitive privileges were granted at logon. |
| Security | 4673 | Sensitive privilege use attempted | Critical | Detects use of powerful privileges such as SeDebugPrivilege. |
| Security | 4674 | Privileged object operation | Critical | High-value event when attacker abuses token privileges against protected objects. |
| Security | 4688 | Process creation | Critical | Detect commands using token abuse, privilege-sensitive tools, or elevated shells. |
| Sysmon | 1 | Process creation | Critical | Best execution source for privilege abuse tooling. |
| Sysmon | 10 | Process access | Critical | Strong signal when attacker opens LSASS or protected processes. |
| Security | 4624 | Successful logon | High | Logon context before privilege abuse. |
| Security | 4648 | Explicit credentials used | High | Useful when alternate credentials precede privilege abuse. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| SeDebugPrivilege abuse | Access to LSASS / SYSTEM processes | Critical | Common escalation path. |
| Token duplication | Process impersonation or SYSTEM child creation | Critical | Indicates token theft or impersonation. |
| Elevated shell from medium parent | User shell unexpectedly spawns SYSTEM process | High | Suspicious token transition. |
| Privilege-sensitive tool execution | PsExec, Mimikatz, ProcDump | Critical | Strong offensive signal. |
| Access denied followed by success | Retry after elevation | High | Suggests privilege escalation chain. |
| Unusual service restart after privilege use | Service manipulated after elevation | High | Often follows SeTakeOwnershipPrivilege abuse. |
Common Tools
| Tool | Usage |
|---|---|
| whoami.exe | Check enabled privileges |
| mimikatz | Token abuse, privilege enablement |
| PsExec | SYSTEM execution |
| procdump.exe | Protected process dump |
| PowerShell | Token manipulation / privilege testing |
| accesschk.exe | Privilege enumeration |
| Process Hacker | Token inspection |
| rundll32.exe | Abuse privileged DLL execution |
Relevant Artifacts
- Security Event IDs 4672, 4673, 4674
- Security Event ID 4688
- Sysmon Event ID 1
- Sysmon Event ID 10
- Prefetch for privilege abuse tools
- Amcache execution history
- ShimCache historical traces
- LSASS access telemetry
- EDR token lineage
- MFT / USN for tool drop timeline
MITRE ATT&CK References
- T1134 Access Token Manipulation
- T1068 Exploitation for Privilege Escalation
- T1548 Abuse Elevation Control Mechanism
- T1003 Credential Dumping
Decision Tree
-
Was sensitive privilege granted?
- Check 4672
- Identify account
-
Was privilege actively used?
- Check 4673 / 4674
-
Which process used it?
- Parent-child lineage
- Integrity level
-
Was protected process accessed?
- LSASS
- SYSTEM service
-
Expand:
- Token duplication
- Credential access
- Persistence after elevation
-
Scope:
- Single host
- Lateral movement
- Domain privilege path
Example Detection Templates
KQL
SecurityEvent
| where EventID in (4672,4673,4674)
| project TimeGenerated, Computer, Account, EventID, PrivilegeList, ProcessName
Sysmon
| where EventID == 10
| where TargetImage has "\\lsass.exe"
| project TimeGenerated, Computer, SourceImage, TargetImage, GrantedAccess
EQL
process where process.name in ("mimikatz.exe","procdump.exe","psexec.exe")
sequence by host.name with maxspan=5m
[ authentication where event.code == "4672" ]
[ process where process.name in ("cmd.exe","powershell.exe") ]
Sigma
title: Privilege Abuse Detection
id: c3a8d221-privilege-abuse
status: experimental
description: Detects sensitive privilege assignment and use
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
detection:
selection:
EventID:
- 4672
- 4673
- 4674
condition: selection
fields:
- EventID
- PrivilegeList
- ProcessName
falsepositives:
- Administrative activity
level: high
tags:
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Privilege minimization | Restrict powerful rights | Critical | Reduce abuse surface |
| Sysmon process access | Enable Event 10 | Critical | Detect LSASS access |
| Protected LSASS | RunAsPPL | High | Hardens credential store |
| EDR token visibility | Track impersonation | Critical | Detect token abuse |
| Admin separation | Separate privileged accounts | High | Reduce misuse |