KQL Query – Detect Active Directory Resource-Based Kerberos Delegation

Why can resource-based delegation pose a threat?

Resource-Based delegation in Active Directory can pose a security threat. Resource-Based delegation enables the delegation of authentication and authorization to other systems, but if an attacker gains access to a delegated system, they can use that access to move within the network and potentially access sensitive data. This feature can also be abused by malicious insiders to gain unauthorized access to systems and data. To minimize the risks, it is important to implement least privilege, monitoring for suspicious activity, and regularly reviewing configurations when using these features.

Event ID 5136: A Directory Service Object Was Modified

Event ID 5136 indicates that a directory service object was modified. To determine if the modification involves Resource-Based Delegation, the Event Data can be parsed using the following query:

				
					//https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtoactonbehalfofotheridentity
//msDS-AllowedToActOnBehalfOfOtherIdentity and msDS-AllowedToDelegateTo
SecurityEvent
| where EventID == 5136
| extend MyData = tostring(parse_xml(EventData))
| extend ObjectDN = tostring(extractjson("$['EventData']['Data'][8]#text", MyData))
| extend ObjectClass = tostring(extractjson("$['EventData']['Data'][10]#text", MyData))
| extend AttributeLDAPDisplayName = tostring(extractjson("$['EventData']['Data'][11]#text", MyData))
| extend AttributeValue = tostring(extractjson("$['EventData']['Data'][13]#text", MyData))
| where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity" or AttributeLDAPDisplayName == "msDS-AllowedToDelegateTo"
| project TimeGenerated,ObjectDN,ObjectClass,AttributeLDAPDisplayName,AttributeValue 
				
			

Conclusion

Understanding and detecting potential threats related to RBKD is crucial for maintaining a secure network environment. By leveraging KQL queries, organizations can effectively monitor and manage RBKD in Active Directory, thereby enhancing their overall security posture.

Leave a Reply

Contact me

If you’re interested in learning about KQL Query – Detect Active Directory Resource-Based Kerberos Delegation. I can help you understand how this solution can benefit your organization and provide a customized solution tailored to your specific needs.

Table of Contents