Privilege escalation monitoring

I am looking monitor whenever a process attempts and/or is granted an escalation of privileges. I haven’t found anything documented (such as via OB callbacks etc.) that would do what I want via callbacks. I don’t believe maintaining an active process list and polling for changes is viable as there is opportunity to miss privilege changes.

Thanks for your time with any suggestions you may have.

Do you mean execution elevation?

Essentially yes. The ‘access token’ object of a process describes the security context in which it runs. So as the process executes and tries to use other securable objects the privileges (held within access token) of the user and the object to be accessed are compared. If additional privileges are required then the UAC prompt is displayed.

I think system security log records these events.