# Monitor Privileged Users ## Overview Monitoring privileged user activity helps SecOps teams detect unauthorized or suspicious behavior involving accounts with administrative rights. This includes privilege escalations, malicious insider actions, and misuse of system-level permissions on Windows endpoints. By tracking these events, analysts gain visibility into when and how special privileges are assigned, allowing for quicker investigations and proactive security controls. *** ## Data Source Privileged activity data is collected via the **Cybrhawk Endpoint Agent**: * **EventCode**: `4672` – *Special privileges assigned to new logon* **Privileges Tracked** include: * SeAssignPrimaryTokenPrivilege * SeTcbPrivilege * SeSecurityPrivilege * SeTakeOwnershipPrivilege * SeLoadDriverPrivilege * SeBackupPrivilege * SeRestorePrivilege * SeDebugPrivilege * SeAuditPrivilege * SeSystemEnvironmentPrivilege * SeImpersonatePrivilege * SeDelegateSessionUserImpersonatePrivilege. *** ## Events Captured The **Users With Admin Rights** dashboard highlights the following information: * **Users With Admin Rights** – Count of accounts assigned special privileges. * **User Breakdown** – Distribution of SYSTEM, Administrator, and service accounts. * **Event Feed** – Real-time activity log with timestamps, IP addresses, and privilege assignments. *** ## Key Fields When investigating privileged activity, the following fields provide context: * **`agent.name`** – Endpoint hostname with TD agent installed.\ \&#xNAN;*Example*: `agent.name: "TD-CCC-SENSOR-01"` * **`data.win.eventdata.privilegeList`** – List of privileges assigned during logon.\ \&#xNAN;*Example*: `data.win.eventdata.privilegeList: (SeBackupPrivilege OR SeRestorePrivilege)` * **`source.ip`** – IP address of the system initiating the logon.\ \&#xNAN;*Example*: `source.ip: 143.110.182.33` * **`event.action`** – Action description from the Windows Event Log.\ \&#xNAN;*Example*: `event.action: "Special privileges assigned to new logon"` * **`destination.ip`** – Destination IP accessed during the privileged session.\ \&#xNAN;*Example*: `destination.ip: 192.168.210.40` * **`source.geo.organization`** – ISP or organization linked to the source IP.\ \&#xNAN;*Example*: `source.geo.organization: "Digital Ocean"` * **`tenant`** – Organization or tenant identifier.\ \&#xNAN;*Example*: `tenant: acme` * **`msp`** – MSP name or ID (if managed under an MSP).\ \&#xNAN;*Example*: `msp: acme` *** ## Dashboard Access Privileged activity is monitored in the **Users With Admin Rights** dashboard within the Cybrhawk Analyst Console. * **From the Menu**: 1. Open the **Dashboards** section in the left-hand navigation panel. 2. Expand the **ENDPOINT** menu. 3. Under **Windows**, select **Users With Admin Rights**. This dashboard provides a comprehensive view of privileged accounts, their assigned rights, and related activity logs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybrhawksoc.gitbook.io/cybrhawk-docs/soc-analyst-guide/everyday-tasks/windows-privileged-users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.