Event ID 4704 — A user right was assigned.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Policy Change → Authorization Policy Change
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

A user right was assigned.

Message #

A user right was assigned.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Target Account:
	Account Name: %5

New Right:
	User Right: %6

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID.
`SubjectUserName` UnicodeString	[Subject] Account Name.
`SubjectDomainName` UnicodeString	[Subject] Account Domain.
`SubjectLogonId` HexInt64	[Subject] Logon ID.
`TargetSid` SID	[Target Account] Account Name.
`PrivilegeList` UnicodeString	[New Right] User Right. Privilege constants reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4704,
    "version": 0,
    "level": 0,
    "task": 13570,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2023-11-05T23:16:25.782413+00:00",
    "event_record_id": 71899,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 844
    },
    "channel": "Security",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "WINDEV2310EVAL$",
    "SubjectDomainName": "WORKGROUP",
    "SubjectLogonId": "0x3e7",
    "TargetSid": "S-1-5-83-0",
    "PrivilegeList": "SeCreateSymbolicLinkPrivilege"
  },
  "message": ""
}

Community Notes #

Tracks changes to token privileges.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Enabled User Right in AD to Control User Objects source high: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Elastic # view in reference

Sensitive Privilege SeEnableDelegationPrivilege assigned to a User source high: Identifies the assignment of the SeEnableDelegationPrivilege sensitive "user right" to a user. The SeEnableDelegationPrivilege "user right" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4704
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authorization-policy-change
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
Example event sourced from https://github.com/NextronSystems/evtx-baseline