Possible Resource-Based Constrained Delegation Abuse

SecurityEvent
| where EventID == 5136 
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SubjectAccount
  - identifier: Name
    columnName: SubjectUserName
  - identifier: NTDomain
    columnName: SubjectDomainName
- entityType: Account
  fieldMappings:
  - identifier: Sid
    columnName: SubjectUserSid
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml
name: Possible Resource-Based Constrained Delegation Abuse
relevantTechniques:
- T1134
query: |
  SecurityEvent
  | where EventID == 5136 
  | parse EventData with * 'ObjectClass">' ObjectClass "<" *
  | parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
  | where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
  | parse EventData with * 'ObjectDN">' ObjectDN "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
version: 1.0.3
queryPeriod: 1h
kind: Scheduled
id: 2937bc6b-7cda-4fba-b452-ea43ba8e835f
description: |
  'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. 
  This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation.
  Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'  
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- PrivilegeEscalation
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
  author:
    name: Vasileios Paschalidis