Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Enabled User Right in AD to Control User Objects

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@neu5ronCreated Sun Jul 30Updated Thu Dec 02311b6ce2-7890-4383-a8c2-663a9f6b43cdwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change

Detection Logic
Detection Logic2 selectors
detection:
    selection_base:
        EventID: 4704
    selection_keywords:
        PrivilegeList|contains: 'SeEnableDelegationPrivilege'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.harmj0y.net
MITRE ATT&CK
Rule Metadata
Rule ID
311b6ce2-7890-4383-a8c2-663a9f6b43cd
Status
test
Level
high
Type
Detection
Created
Sun Jul 30
Modified
Thu Dec 02
Author
@neu5ron
Path
rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1098
View on GitHub