Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Sigma rule (View on GitHub)
1title: Enabled User Right in AD to Control User Objects
2id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
3status: test
4description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
5references:
6 - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
7author: '@neu5ron'
8date: 2017/07/30
9modified: 2021/12/02
10tags:
11 - attack.persistence
12 - attack.t1098
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
17detection:
18 selection_base:
19 EventID: 4704
20 selection_keywords:
21 PrivilegeList|contains: 'SeEnableDelegationPrivilege'
22 condition: all of selection*
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Powershell LocalAccount Manipulation
- Cisco Local Accounts
- Password Change on Directory Service Restore Mode (DSRM) Account
- Remote Access Tool Services Have Been Installed - System
- COLDSTEEL Persistence Service Creation