KQL Search

Query Details

List AD Delegations

Query

# List AD Delegations

## Query Information

#### Description
This query is aimed to Monitor different types of delegation in the environment.
Delegations are a feature in Active Directory that a Service will impoersonate a user by creating a special TGS to make the user able to access a resource.
Based on how it's been configured and type of the delegation there are various ways to abuse this feature for lateral movement & privilege escalation.


## Sentinel
```
let exclusions = dynamic(["-" , "0x0"]);
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventData contains "AllowedToDelegateTo"
| extend AllData = tostring(parse_xml(EventData))
| extend DelegatedTo = parse_json(AllData)['EventData']['Data'][20]["#text"]
| where not (DelegatedTo in (exclusions))
```

Explanation

This query is used to monitor different types of delegations in the Active Directory environment. Delegations allow a service to act as a user to access resources. The query looks for events where delegation is allowed and excludes certain types of delegations.

Details

Bert-Jan Pals

Released: April 7, 2024

Tables

SecurityEvent

Keywords

SecurityEvent,TimeGenerated,EventData,AllData,DelegatedTo,exclusions,parse_xml,parse_json,Data.

Operators

whereextendcontainsparse_xmlparse_jsonnotin

KQL Search

List AD Delegations

Query

Explanation

Details

Actions