Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Sigma rule (View on GitHub)
1title: Enabled User Right in AD to Control User Objects
2id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
3status: test
4description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
5references:
6 - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
7author: '@neu5ron'
8date: 2017-07-30
9modified: 2021-12-02
10tags:
11 - attack.persistence
12 - attack.t1098
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
17detection:
18 selection_base:
19 EventID: 4704
20 selection_keywords:
21 PrivilegeList|contains: 'SeEnableDelegationPrivilege'
22 condition: all of selection*
23falsepositives:
24 - Unknown
25level: high
References
-
I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system”…
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys