4705 A user right was removed
Written when the local user rights policy is changed and a right is removed from an account. Paired with assignment 4704, it tracks the evolution of rights.
Overview
The subcategory is Audit Authorization Policy Change. It is generated when a local user right is removed from an account. One event appears per target user.
How it is triggered
- Removing rights via Local Security Policy or Group Policy.
- Removing rights via
seceditor APIs.
Security review points
- Removing a right needed for defense or operations can lead to a service stopping or auditing weakening. For example, removing a right required by a security product or backup is notable in the context of defense evasion.
- An attacker may also reorganize rights as part of covering tracks or altering configuration. Together with assignment 4704, track who removed which right from which account.
Notes for log review
- It also occurs during legitimate configuration changes and rights reviews. Alert narrowed to important rights and target accounts.
- As a policy-change event, treat it at high priority together with assignment 4704 and audit-policy change 4719.
Key fields
| Field | Meaning |
|---|---|
Account Modified / Removed Right | The account the right was removed from and the removed right |
Subject\Account Name | The account that made the change |