4704 A user right was assigned
Written when the local user rights policy is changed and a right (a logon right or privilege) is assigned to an account. It captures the laying of groundwork for escalation or persistence through privilege grants.
Overview
The subcategory is Audit Authorization Policy Change. It is generated when a local user right (for example “Log on as a service” SeServiceLogonRight, “Log on as a batch job”, or a privilege such as SeDebugPrivilege) is granted to an account. One event appears per assigned user.
How it is triggered
- User rights assignment via Local Security Policy or Group Policy.
- Granting rights via
seceditor APIs.
Security review points
- Granting a strong right can be preparation for privilege escalation or persistence. New grants of
SeDebugPrivilege(manipulate other processes’ memory),SeTcbPrivilege(act as part of the OS), or “Log on as a service” (a prerequisite for a resident service) are notable. - Granting rights to an unexpected account (especially an ordinary user or a new account) suggests an attacker establishing a foothold. Together with removal 4705, track the evolution of rights.
Notes for log review
- Rights are also granted during legitimate server build-out and application deployment. Match against normal patterns of the granted right type, target account, and acting subject.
- Treat audit-policy and rights changes as significant, and monitor them at high priority together with policy-change events (such as audit-policy change 4719).
Key fields
| Field | Meaning |
|---|---|
Account Modified / New Right | The account granted the right and the assigned right |
Subject\Account Name | The account that made the change |
Glossary
- User right — actions permitted to an account, such as “Log on as a service” or “Log on locally.” It includes privileges and logon rights.