Windows active directory user assigned right to control user objects
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects assignment of delegation privileges to user accounts that enable control over other user objects in Active Directory.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4704 when SeEnableDelegationPrivilege is assigned to a user account. This privilege allows a user to enable computer and user accounts to be trusted for delegation, which can be abused by attackers to impersonate other users and escalate privileges within the domain. The SeEnableDelegationPrivilege is typically reserved for highly privileged service accounts and should rarely be assigned to regular user accounts.
Triage and response
- Verify if the privilege assignment on
{{host}} was authorized and follows proper change management procedures. - Review the target user account to determine if it requires delegation privileges for legitimate business functions.
- Check for subsequent delegation configuration changes or suspicious authentication activity from the affected account.
- Examine the source of the privilege assignment to ensure it came from authorized administrative personnel.
- Monitor for potential abuse of the delegation privilege to impersonate other users or access sensitive resources.
