Query Details

List AD Delegations

Query

let exclusions = dynamic(["-" , "0x0"]);
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventData contains "AllowedToDelegateTo"
| extend AllData = tostring(parse_xml(EventData))
| extend DelegatedTo = parse_json(AllData)['EventData']['Data'][20]["#text"]
| where not (DelegatedTo in (exclusions))

About this query

List AD Delegations

Query Information

Description

This query is aimed to Monitor different types of delegation in the environment. Delegations are a feature in Active Directory that a Service will impoersonate a user by creating a special TGS to make the user able to access a resource. Based on how it's been configured and type of the delegation there are various ways to abuse this feature for lateral movement & privilege escalation.

Sentinel

Explanation

This query is used to monitor different types of delegations in the Active Directory environment. Delegations allow a service to act as a user to access resources. The query looks for events where delegation is allowed and excludes certain types of delegations.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 7, 2024

Tables

SecurityEvent

Keywords

SecurityEventTimeGeneratedEventDataAllDataDelegatedToexclusionsparse_xmlparse_jsonData.

Operators

whereextendcontainsparse_xmlparse_jsonnotin

Actions

GitHub