Why can resource-based delegation pose a threat?
Resource-Based delegation in Active Directory can pose a security threat. Resource-Based delegation enables the delegation of authentication and authorization to other systems, but if an attacker gains access to a delegated system, they can use that access to move within the network and potentially access sensitive data. This feature can also be abused by malicious insiders to gain unauthorized access to systems and data. To minimize the risks, it is important to implement least privilege, monitoring for suspicious activity, and regularly reviewing configurations when using these features.
Event ID 5136: A Directory Service Object Was Modified
Event ID 5136 indicates that a directory service object was modified. To determine if the modification involves Resource-Based Delegation, the Event Data can be parsed using the following query:
//https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity
//msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo
SecurityEvent
| where EventID == 5136
| extend MyData = tostring(parse_xml(EventData))
| extend ObjectDN = tostring(extractjson("$['EventData']['Data'][8]#text", MyData))
| extend ObjectClass = tostring(extractjson("$['EventData']['Data'][10]#text", MyData))
| extend AttributeLDAPDisplayName = tostring(extractjson("$['EventData']['Data'][11]#text", MyData))
| extend AttributeValue = tostring(extractjson("$['EventData']['Data'][13]#text", MyData))
| where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity" or AttributeLDAPDisplayName == "msDS-AllowedToDelegateTo"
| project TimeGenerated,ObjectDN,ObjectClass,AttributeLDAPDisplayName,AttributeValue
Conclusion
Understanding and detecting potential threats related to RBKD is crucial for maintaining a secure network environment. By leveraging KQL queries, organizations can effectively monitor and manage RBKD in Active Directory, thereby enhancing their overall security posture.
