Automatic detection of software that performs unauthorized privilege escalation is disclosed. Examples disclosed herein include detecting, in an event log, a first event associated with a start of execution of a process, the first event to identify a first privilege level associated with the process, and storing the first privilege level in a data structure associated with the process. Disclosed examples also include detecting, in the event log by executing an instruction with the at least one processor, a subsequent second event associated with the execution of the process, the second event to identify a second privilege level associated with the process. Disclosed examples further include at least one of terminating, pausing or suspending the process in response to the second privilege level being higher than the first privilege level.