1 min read

KQL Query - Detect Resource-Based Kerberos Delegation

KQL Query - Detect Resource-Based Kerberos Delegation
KQL Query - Detect Resource-Based Kerberos Delegation

Resource-Based delegation in Active Directory can pose a security threat. Resource-Based delegation enables the delegation of authentication and authorization to other systems, but if an attacker gains access to a delegated system, they can use that access to move within the network and potentially access sensitive data. This feature can also be abused by malicious insiders to gain unauthorized access to systems and data. To minimize the risks, it is important to implement least privilege, monitoring for suspicious activity, and regularly reviewing configurations when using these features.

Event ID 5136

5136(S) A directory service object was modified. (Windows 10) | Microsoft Learn

Query

//https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity
//msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo
SecurityEvent
| where EventID == 5136
| extend MyData = tostring(parse_xml(EventData))
| extend ObjectDN = tostring(extractjson("$['EventData']['Data'][8]#text", MyData))
| extend ObjectClass = tostring(extractjson("$['EventData']['Data'][10]#text", MyData))
| extend AttributeLDAPDisplayName = tostring(extractjson("$['EventData']['Data'][11]#text", MyData))
| extend AttributeValue = tostring(extractjson("$['EventData']['Data'][13]#text", MyData))
| where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity" or AttributeLDAPDisplayName == "msDS-AllowedToDelegateTo"
| project TimeGenerated,ObjectDN,ObjectClass,AttributeLDAPDisplayName,AttributeValue 

Summary

Are you looking to improve your organization's security and gain better visibility into potential threats? Contact me today and I can help you implement Microsoft Sentinel, a powerful security platform that uses artificial intelligence and machine learning to help you detect, investigate, and respond to security incidents.