Sensitive Privilege SeEnableDelegationPrivilege assigned to a User

Last updated 9 days ago on 2025-01-22

Created 3 years ago on 2022-01-27

About

Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

Tags

Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Credential AccessTactic: PersistenceData Source: Active DirectoryUse Case: Active Directory MonitoringData Source: SystemLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Credential Access (TA0006)(opens in a new tab or window)

↳ Steal or Forge Kerberos Tickets (T1558)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

winlogbeat-*logs-system.*logs-windows.*

Related Integrations

system(opens in a new tab or window)

windows(opens in a new tab or window)

Query

event.code:4704 and winlog.event_data.PrivilegeList:"SeEnableDelegationPrivilege"

Install detection rules in Elastic Security

Detect Sensitive Privilege SeEnableDelegationPrivilege assigned to a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).