Event ID 4703 — A user right was adjusted.
Description
A token right was adjusted.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
TargetUserSid SID | [Target Account] Security ID. |
TargetUserName UnicodeString | [Target Account] Account Name. |
TargetDomainName UnicodeString | [Target Account] Account Domain. |
TargetLogonId HexInt64 | [Target Account] Logon ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
ProcessId Pointer | [Process Information] Process ID. |
EnabledPrivilegeList UnicodeString | Enabled Privileges Privilege constants reference |
DisabledPrivilegeList UnicodeString | Disabled Privileges Privilege constants reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4703,
"version": 0,
"level": 0,
"task": 13317,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:04:44.861115+00:00",
"event_record_id": 315382,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9496
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"TargetUserSid": "S-1-5-18",
"TargetUserName": "WINDEV2310EVAL$",
"TargetDomainName": "WORKGROUP",
"TargetLogonId": "0x3e7",
"ProcessName": "C:\\Windows\\System32\\svchost.exe",
"ProcessId": "0xd0c",
"EnabledPrivilegeList": "SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeIncreaseQuotaPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeSystemtimePrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeShutdownPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeUndockPrivilege\r\n\t\t\tSeManageVolumePrivilege",
"DisabledPrivilegeList": "-"
},
"message": ""
}
Community Notes #
Generated when token privileges are changed (tracks rights like SeDebugPrivilege, SeLoadDriverPrivilege).
Detection Rules #
View all rules referencing this event →
Elastic # view in reference
- SeDebugPrivilege Enabled by a Suspicious Process source medium: Identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege. Adversaries may enable this privilege to debug and modify other processes, typically reserved for system-level tasks, to escalate privileges and bypass access controls.
Splunk # view in reference
- Windows Access Token Manipulation SeDebugPrivilege source: The following analytic detects a process enabling the "SeDebugPrivilege" privilege token. It leverages Windows Security Event Logs with EventCode 4703, filtering out common legitimate processes. This activity is significant because SeDebugPrivilege allows a process to inspect and modify the memory of other processes, potentially leading to credential dumping or code injection. If confirmed malicious, an attacker could gain extensive control over system processes, enabling them to escalate privileges, persist in the environment, or access sensitive information.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-token-right-adjusted
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4703
- Example event sourced from https://github.com/NextronSystems/evtx-baseline