KQL Query - Detect Active Directory Resource-Based Kerberos Delegation
Why can resource-based delegation pose a threat?
Resource-Based delegation in Active Directory can pose a security threat. Resource-Based delegation enables the delegation of authentication and authorization to other systems, but if an attacker gains access to a delegated system, they can use that access to move within the network and potentially access sensitive data. This feature can also be abused by malicious insiders to gain unauthorized access to systems and data. To minimize the risks, it is important to implement least privilege, monitoring for suspicious activity, and regularly reviewing configurations when using these features.
Event ID 5136: A Directory Service Object Was Modified
Event ID 5136 indicates that a directory service object was modified. To determine if the modification involves Resource-Based Delegation, the Event Data can be parsed using the following query:
//https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity //msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo SecurityEvent | where EventID == 5136 | extend MyData = tostring(parse_xml(EventData)) | extend ObjectDN = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend ObjectClass = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend AttributeLDAPDisplayName = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend AttributeValue = tostring(extractjson("$['EventData']['Data']#text", MyData)) | where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity" or AttributeLDAPDisplayName == "msDS-AllowedToDelegateTo" | project TimeGenerated,ObjectDN,ObjectClass,AttributeLDAPDisplayName,AttributeValue
Are you looking to improve your organization's security and gain better visibility into potential threats? Contact me today and I can help you implement Microsoft Sentinel, a powerful security platform that uses artificial intelligence and machine learning to help you detect, investigate, and respond to security incidents.