From 2bb7d7e6ebfa05faac32ef57efdf53c5702d297f Mon Sep 17 00:00:00 2001
From: Nate Guagenti <neu5ron@users.noreply.github.com>
Date: Mon, 3 Apr 2017 15:58:23 -0400
Subject: [PATCH] Create win_alert_active_directory_user_control.yml

---
 ...win_alert_active_directory_user_control.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 rules/windows/builtin/win_alert_active_directory_user_control.yml

diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml
new file mode 100644
index 000000000..4b731eed7
--- /dev/null
+++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml
@@ -0,0 +1,18 @@
+title: Detects Enabling of a User Right in AD to Control User Objects
+description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
+reference: 
+    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+author: @neu5ron
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
+detection:
+    selection:
+        EventID: 4707
+    keywords:
+        - 'SeEnableDelegationPrivilege'
+    condition: selection and keywords
+falsepositives: 
+    - Unknown
+level: high