Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Sigma rule (View on GitHub)
1title: Enabled User Right in AD to Control User Objects
2id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
3status: test
4description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
5references:
6 - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
7author: '@neu5ron'
8date: 2017-07-30
9modified: 2021-12-02
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1098
14logsource:
15 product: windows
16 service: security
17 definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
18detection:
19 selection_base:
20 EventID: 4704
21 selection_keywords:
22 PrivilegeList|contains: 'SeEnableDelegationPrivilege'
23 condition: all of selection*
24falsepositives:
25 - Unknown
26level: high
References
-
I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system”…
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys