Detection rules › Kusto Query Language

Possible Resource-Based Constrained Delegation Abuse

Author: Vasileios Paschalidis
Source: upstream

'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation. This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation. Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134` Access Token Manipulation
Defense Evasion	`T1134` Access Token Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `source`

SecurityEvent

Stage 2: `where`

EventID eq "5136"

Stage 3: `parse`

Stage 4: `parse`

Stage 5: `where`

and
  AttributeLDAPDisplayName eq "msDS-AllowedToActOnBehalfOfOtherIdentity"
  ObjectClass eq "computer"

Stage 6: `parse`

Stage 7: `summarize`

Stage 8: `extend`

Stage 9: `extend`

Stage 10: `project-away`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`msDS-AllowedToActOnBehalfOfOtherIdentity`
`EventID`	eq	`5136` corpus 22 (splunk 22)
`ObjectClass`	eq	`computer`

Possible Resource-Based Constrained Delegation Abuse

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: parse

Stage 5: where

Stage 6: parse

Stage 7: summarize

Stage 8: extend

Stage 9: extend

Stage 10: project-away