Adversaries may exploit resource-based constrained delegation by modifying Active Directory computer objects to gain unauthorized access to services. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential lateral movement and privilege escalation attempts.
KQL Query
SecurityEvent
| where EventID == 5136
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: 2937bc6b-7cda-4fba-b452-ea43ba8e835f
name: Possible Resource-Based Constrained Delegation Abuse
description: |
'This query identifies Active Directory computer objects modifications that allow an adversary to abuse the Resource-based constrained delegation.
This query checks for event id 5136 that the Object Class field is "computer" and the LDAP Display Name is "msDS-AllowedToActOnBehalfOfOtherIdentity" which is an indicator of Resource-based constrained delegation.
Ref: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
query: |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| where ObjectClass == "computer" and AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, SubjectUserName, SubjectDomainName, SubjectUserSid, SubjectLogonId, ObjectDN, AttributeLDAPDisplayName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
- entityType: Account
fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Vasileios Paschalidis
support:
tier: Community
categories:
domains: [ "Security - Others", "Identity" ]| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Configuration
Description: A system administrator configures a scheduled job to run under a service account with constrained delegation enabled for routine maintenance tasks.
Filter/Exclusion: Exclude events where the computer object is associated with a scheduled job and the service account is a known enterprise service account (e.g., NT SERVICE\SQLAgent).
Scenario: Active Directory Replication Configuration
Description: An admin modifies a computer object to allow replication between domain controllers, which may inadvertently enable constrained delegation.
Filter/Exclusion: Exclude events where the computer object is a domain controller and the modification is related to replication settings (e.g., msDS-ReplicatedObjectFlags).
Scenario: Microsoft Exchange Server Configuration
Description: An admin configures an Exchange server to use constrained delegation for secure communication with other services, such as Outlook Web Access.
Filter/Exclusion: Exclude events where the computer object is an Exchange server and the modification is related to the msExchExchangeServer or msExchServerConfig attributes.
Scenario: PowerShell Script Execution for Admin Tasks
Description: A script using PowerShell (e.g., Invoke-Command or New-SmbMapping) is run by an admin to configure delegation settings for a legitimate purpose.
Filter/Exclusion: Exclude events where the event source is a known administrative tool (e.g., PowerShell) and the user is a domain admin with elevated privileges.
Scenario: Microsoft Azure AD Connect Configuration
Description: An admin configures Azure AD Connect to synchronize user accounts and enable constrained delegation for hybrid identity scenarios.
Filter/Exclusion: Exclude events where the computer object is associated with Azure AD Connect and the modification is related to synchronization settings (e.g., msDS-PasswordLastSet or `