Resource-Based delegation in Active Directory can pose a security threat. Resource-Based delegation enables the delegation of authentication and authorization to other systems, but if an attacker gains access to a delegated system, they can use that access to move within the network and potentially access sensitive data. This feature can also be abused by malicious insiders to gain unauthorized access to systems and data. To minimize the risks, it is important to implement least privilege, monitoring for suspicious activity, and regularly reviewing configurations when using these features.
Event ID 5136
//https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity //msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo SecurityEvent | where EventID == 5136 | extend MyData = tostring(parse_xml(EventData)) | extend ObjectDN = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend ObjectClass = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend AttributeLDAPDisplayName = tostring(extractjson("$['EventData']['Data']#text", MyData)) | extend AttributeValue = tostring(extractjson("$['EventData']['Data']#text", MyData)) | where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity" or AttributeLDAPDisplayName == "msDS-AllowedToDelegateTo" | project TimeGenerated,ObjectDN,ObjectClass,AttributeLDAPDisplayName,AttributeValue
Are you looking to improve your organization's security and gain better visibility into potential threats? Contact me today and I can help you implement Microsoft Sentinel, a powerful security platform that uses artificial intelligence and machine learning to help you detect, investigate, and respond to security incidents.