KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 06 AD RBCD Allowed To Act Modified

Query

// =========================================================
// RULE-06 | AD-RBCD-AllowedToAct-Modified
// Description : Resource-Based Constrained Delegation (RBCD)
//               setup detection — Event 4742 (Computer Account
//               Changed) or Event 5136 (DS Object Modified)
//               showing a write to the attribute
//               msDS-AllowedToActOnBehalfOfOtherIdentity on
//               a computer object.
//               Writing this attribute to a target computer
//               allows an attacker-controlled account to use
//               S4U2Self + S4U2Proxy to impersonate any user
//               (including Domain Admins) to services on that
//               computer.
// Severity    : High → Critical when target is a DC or
//               writer is non-admin
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1134.001 — Access Token Manipulation
//               T1098      — Account Manipulation
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Detect via Event 4742 (Computer Account Changed)
let Via4742 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4742
    | where AllowedToDelegateTo has "msDS-AllowedToActOnBehalfOfOtherIdentity"
        or EventData has "msDS-AllowedToActOnBehalfOfOtherIdentity"
    | extend
        DetectionSource = "Event4742_ComputerAccountChanged",
        ActorAccount    = strcat(SubjectDomainName, "\\", SubjectUserName),
        TargetObject    = strcat(TargetDomainName, "\\", TargetUserName),
        IsTargetDC      = TargetUserName has_any ("DC", "ADDC", "PDC", "BDC")
    | project TimeGenerated, DetectionSource, ActorAccount,
              SubjectUserName, SubjectDomainName, TargetObject,
              IsTargetDC, Computer;

// Detect via Event 5136 (DS Object Modified — more reliable)
let Via5136 = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 5136
    | where OperationType == "%%14674"
    | where AttributeLDAPDisplayName =~ "msDS-AllowedToActOnBehalfOfOtherIdentity"
    | extend
        DetectionSource = "Event5136_DSObjectModified",
        ActorAccount    = strcat(SubjectDomainName, "\\", SubjectUserName),
        TargetObject    = ObjectDN,
        IsTargetDC      = ObjectDN has_any ("OU=Domain Controllers", "CN=Domain Controllers")
    | project TimeGenerated, DetectionSource, ActorAccount,
              SubjectUserName, SubjectDomainName, TargetObject,
              IsTargetDC, Computer;

union Via4742, Via5136
| extend
    Severity = case(
        IsTargetDC,          "Critical",
        not(SubjectUserName has_any ("admin", "svc", "$")), "High",
        "Medium"
    ),
    WhySuspicious = strcat(
        "RBCD_AllowedToAct_Write; ",
        iff(IsTargetDC, "Target_Is_DC; ", ""),
        "Actor: ", SubjectUserName, "; ",
        "Source: ", DetectionSource
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    ActorAccount,
    TargetObject,
    IsTargetDC,
    DetectionSource,
    Computer
| order by TimeGenerated desc

Explanation

This query is designed to detect suspicious modifications related to Resource-Based Constrained Delegation (RBCD) in an Active Directory environment. Here's a simplified explanation:

  1. Purpose: The query aims to identify changes to a specific attribute (msDS-AllowedToActOnBehalfOfOtherIdentity) on computer objects. This attribute, when modified, can allow an attacker to impersonate any user, including high-privilege accounts like Domain Admins, on a target computer.

  2. Detection Method:

    • The query looks for two types of events within the last 15 minutes:
      • Event 4742: Indicates a computer account change.
      • Event 5136: Indicates a modification of a directory service object, which is considered more reliable for detection.
    • It checks if these events involve changes to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

  3. Severity Levels:

    • Critical: If the target is a Domain Controller (DC).
    • High: If the actor (the account making the change) is not an admin or service account.
    • Medium: For other scenarios.

  4. Output:

    • The query outputs details such as the time of the event, severity, why the activity is suspicious, the account making the change, the target object, whether the target is a DC, the source of detection, and the computer involved.
    • Results are sorted by the time the event was generated, with the most recent events first.

  5. Security Context: This detection is associated with MITRE ATT&CK techniques for Access Token Manipulation (T1134.001) and Account Manipulation (T1098), indicating potential malicious activity.

Overall, this query helps security teams monitor and respond to potential security threats involving RBCD in their network.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventComputerAccountDomainUserActorTargetObjectDetectionSourceSeverity

Operators

letwhereagohasorextendstrcatprojecthas_any=~unioncasenotifforder bydesc

Actions