Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects assignment of delegation privileges to user accounts that enable control over other user objects in Active Directory.

Strategy

This rule monitors Windows Security Audit events, where @evt.id is 4704 when SeEnableDelegationPrivilege is assigned to a user account. This privilege allows a user to enable computer and user accounts to be trusted for delegation, which can be abused by attackers to impersonate other users and escalate privileges within the domain. The SeEnableDelegationPrivilege is typically reserved for highly privileged service accounts and should rarely be assigned to regular user accounts.

Triage and response

• Verify if the privilege assignment on {{host}} was authorized and follows proper change management procedures.
• Review the target user account to determine if it requires delegation privileges for legitimate business functions.
• Check for subsequent delegation configuration changes or suspicious authentication activity from the affected account.
• Examine the source of the privilege assignment to ensure it came from authorized administrative personnel.
• Monitor for potential abuse of the delegation privilege to impersonate other users or access sensitive resources.