Possible Resource-Based Constrained Delegation Abuse
| Id | 2937bc6b-7cda-4fba-b452-ea43ba8e835f |
| Rulename | Possible Resource-Based Constrained Delegation Abuse |
| Description | This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is “computer” and the LDAP Display Name is “msDS-AllowedToActOnBehalfOfOtherIdentity” which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml |
| Version | 1.0.3 |
| Arm template | 2937bc6b-7cda-4fba-b452-ea43ba8e835f.json |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
relevantTechniques:
- T1134
name: Possible Resource-Based Constrained Delegation Abuse
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
entityType: Account
- fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
entityType: Host
triggerThreshold: 0
id: 2937bc6b-7cda-4fba-b452-ea43ba8e835f
tactics:
- PrivilegeEscalation
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml
queryPeriod: 1h
kind: Scheduled
metadata:
categories:
domains:
- Security - Others
- Identity
author:
name: Vasileios Paschalidis
support:
tier: Community
source:
kind: Community
queryFrequency: 1h
severity: Medium
description: |
'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation.
This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation.
Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'
query: |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2937bc6b-7cda-4fba-b452-ea43ba8e835f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2937bc6b-7cda-4fba-b452-ea43ba8e835f')]",
"properties": {
"alertRuleTemplateName": "2937bc6b-7cda-4fba-b452-ea43ba8e835f",
"customDetails": null,
"description": "'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. \nThis query checks for event id 5136 that the Object Class field is \"computer\" and the LDAP Display Name is \"msDS-AllowedToActOnBehalfOfOtherIdentity\" which is an indicator of Resource-based constrained delegation.\nRef: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'\n",
"displayName": "Possible Resource-Based Constrained Delegation Abuse",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectAccount",
"identifier": "FullName"
},
{
"columnName": "SubjectUserName",
"identifier": "Name"
},
{
"columnName": "SubjectDomainName",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectUserSid",
"identifier": "Sid"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "DnsDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/PotenialResourceBasedConstrainedDelegationAbuse.yaml",
"query": "SecurityEvent\n| where EventID == 5136 \n| parse EventData with * 'ObjectClass\">' ObjectClass \"<\" *\n| parse EventData with * 'AttributeLDAPDisplayName\">' AttributeLDAPDisplayName \"<\" *\n| where ObjectClass == \"computer\" and AttributeLDAPDisplayName == \"msDS-AllowedToActOnBehalfOfOtherIdentity\"\n| parse EventData with * 'ObjectDN\">' ObjectDN \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| project-away DomainIndex\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}