General discussion

Locked

SeTakeOwnershipPrivilege issue

By rsears ·
The following information pertains to a series of events that I observed in the security event log of one of our domain controllers, there were thousands of them which started at 4:30 PM 1/9/2001 and went to 10:30 AM 1/10/2001. The thing that is puzzling; why would these events be logged when the user isn?t running any processes or even logged onto the network. This description was copied directly from the event log.


Privileged object operation:
Object Server: Security
Object Handle: 436
Process ID: 4023213376
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: mrX
Client Domain: DOMAINX
Client Logon ID: (0x0,0x30B2166)
Privileges: SeTakeOwnershipPrivilege

I searched through TechNet but could not find anything that would explain why this is happening while the user isn?t using any network resources. I understand ??? what SeTakeOwnershipPrivilege is and does but can?t come up with an explanation for why and when these events are occurring. Can anyone help me discover why these seemingly unexplainable security events are getting generating? Ask me whatever questions you think would be useful to help solve this mystery.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

SeTakeOwnershipPrivilege issue

by tamj123 In reply to SeTakeOwnershipPrivilege ...

Hi there:
"Privileges: SeTakeOwnershipPrivilege" mean Take ownership of files or other objects, so it passable some try to attack yous system.

Collapse -

SeTakeOwnershipPrivilege issue

by rsears In reply to SeTakeOwnershipPrivilege ...

Poster rated this answer

Collapse -

SeTakeOwnershipPrivilege issue

by rickh9 In reply to SeTakeOwnershipPrivilege ...

You didn't say whether or not this user is supposed to have administrative rights. If not then you may be experiencing a privilege elevation attack. Of course it could be nothing, but the SetakeOwnershipPrivelege is normally only granted to administrators. Another possibility is a scheduled event run with the user account in question such as restore operation from a backup.

Collapse -

SeTakeOwnershipPrivilege issue

by rsears In reply to SeTakeOwnershipPrivilege ...

Poster rated this answer

Collapse -

SeTakeOwnershipPrivilege issue

by rsears In reply to SeTakeOwnershipPrivilege ...

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Operating Systems Forums