The event 4672: Assign special privileges is not parsed ?

JPCERTCC / LogonTracer

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Other

2.7k stars 441 forks source link

The event 4672: Assign special privileges is not parsed ? #101

Closed belveruski closed 3 years ago

belveruski commented 3 years ago

I don't see a filter for event 4672: Assign special privileges:
I uploaded a Security.evtx file containing 4672 event but Logon Tracer didn't parsed it.

It's a bug or it's normal, can i get explanations ? Thanks in advance

t-tani commented 3 years ago

Are there any red nodes on your graph after loading your event log? If so, 4672 have parsed correctly. Event ID 4672 is used to check if special privileges have been assigned to the user, and the node color shows it.