Windows active directory user assigned right to control user objects
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects assignment of delegation privileges to user accounts that enable control over other user objects in Active Directory.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4704 when SeEnableDelegationPrivilege is assigned to a user account. This privilege allows a user to enable computer and user accounts to be trusted for delegation, which can be abused by attackers to impersonate other users and escalate privileges within the domain. The SeEnableDelegationPrivilege is typically reserved for highly privileged service accounts and should rarely be assigned to regular user accounts.
Triage and response
- Verify if the privilege assignment on
{{host}} was authorized and follows proper change management procedures. - Review the target user account to determine if it requires delegation privileges for legitimate business functions.
- Check for subsequent delegation configuration changes or suspicious authentication activity from the affected account.
- Examine the source of the privilege assignment to ensure it came from authorized administrative personnel.
- Monitor for potential abuse of the delegation privilege to impersonate other users or access sensitive resources.
