Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.
Rule type: query
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Threat Detection
- Credential Access
Rule license: Elastic License v2
## Config The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Policy Change > Audit Authorization Policy Change (Success,Failure) ```
event.action: "Authorization Policy Change" and event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"
Framework: MITRE ATT&CKTM