Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/27"
3integration = ["system", "windows"]
4maturity = "production"
5updated_date = "2024/10/28"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The
13SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can
14abuse this right to compromise Active Directory accounts and elevate their privileges.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User"
21note = """## Triage and analysis
22
23### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
24
25Kerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.
26
27Enabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.
28
29SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.
30
31It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.
32
33#### Possible investigation steps
34
35- Investigate how the privilege was assigned to the user and who assigned it.
36- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.
37- Investigate other alerts associated with the users/host during the past 48 hours.
38
39### False positive analysis
40
41- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.
42
43### Related rules
44
45- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82
46
47### Response and remediation
48
49- Initiate the incident response process based on the outcome of the triage.
50- Remove the privilege from the account.
51- Review the privileges of the administrator account that performed the action.
52- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
53- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
54"""
55references = [
56 "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/",
57 "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml",
58 "https://twitter.com/_nwodtuhs/status/1454049485080907776",
59 "https://www.thehacker.recipes/ad/movement/kerberos/delegations",
60 "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md",
61]
62risk_score = 73
63rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d"
64setup = """## Setup
65
66The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).
67Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Policy Change > Audit Authorization Policy Change (Success,Failure)
1"""
2severity = "high"
3tags = [
4 "Domain: Endpoint",
5 "OS: Windows",
6 "Use Case: Threat Detection",
7 "Tactic: Credential Access",
8 "Tactic: Persistence",
9 "Data Source: Active Directory",
10 "Resources: Investigation Guide",
11 "Use Case: Active Directory Monitoring",
12 "Data Source: System",
13]
14timestamp_override = "event.ingested"
15type = "query"
16
17query = '''
18event.action:"Authorization Policy Change" and event.code:4704 and
19 winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
20'''
21
22
23[[rule.threat]]
24framework = "MITRE ATT&CK"
25[[rule.threat.technique]]
26id = "T1558"
27name = "Steal or Forge Kerberos Tickets"
28reference = "https://attack.mitre.org/techniques/T1558/"
29
30
31[rule.threat.tactic]
32id = "TA0006"
33name = "Credential Access"
34reference = "https://attack.mitre.org/tactics/TA0006/"
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1098"
39name = "Account Manipulation"
40reference = "https://attack.mitre.org/techniques/T1098/"
41
42
43[rule.threat.tactic]
44id = "TA0003"
45name = "Persistence"
46reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
Kerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.
Enabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.
SeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named Enable computer and user accounts to be trusted for delegation.
It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.
Possible investigation steps
- Investigate how the privilege was assigned to the user and who assigned it.
- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the
user.id
andwinlog.activity_id
fields as a filter during the past 48 hours. - Investigate other alerts associated with the users/host during the past 48 hours.
False positive analysis
- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.
Related rules
- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82
Response and remediation
- Initiate the incident response process based on the outcome of the triage.
- Remove the privilege from the account.
- Review the privileges of the administrator account that performed the action.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
References
Related rules
- Account Configured with Never-Expiring Password
- FirstTime Seen Account Performing DCSync
- Kerberos Pre-authentication Disabled for User
- Potential Shadow Credentials added to AD Object
- User account exposed to Kerberoasting