KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 21 AD Unconstrained Delegation Coercion

Query

// =========================================================
// RULE-21 | AD-Unconstrained-Delegation-Coercion
// Description : Unconstrained Delegation + DC authentication
//               (coercion) detection — Event 4624 (Type 3
//               Kerberos) from a Domain Controller machine
//               account ($) authenticating to a non-DC host
//               that has TRUSTED_FOR_DELEGATION
//               (userAccountControl flag 0x80000) set in
//               the prior 14-day window.
//               When an unconstrained delegation host receives
//               a legitimate TGT from the DC (forced via
//               PrinterBug / PetitPotam / DFSCoerce), the
//               KDC includes the DC's full TGT in the service
//               ticket. The attacker extracts it with Rubeus
//               monitor and uses it for DCSync.
// Severity    : Critical (any match)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1187 — Forced Authentication
//               T1558.001 — Golden Ticket (TGT theft)
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Hosts with unconstrained delegation (from recent computer account flags)
// TRUSTED_FOR_DELEGATION flag = 0x80000 in userAccountControl
let UnconstrainedHosts = SecurityEvent
    | where TimeGenerated > ago(14d)
    | where EventID == 4742
    | where AccountExpires != ""                // Computer account change
    | where EventData has "0x80000"
        or EventData has "TRUSTED_FOR_DELEGATION"
    | summarize by UnconstHost = toupper(Computer);

// Known DCs
let KnownDCNames = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DC = toupper(Computer);

// DC machine account authenticates TO an unconstrained delegation host
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName =~ "Kerberos"
| where SubjectUserName endswith "$"                // Source = machine account
| extend SourceAccountUpper = toupper(SubjectUserName)
| where SourceAccountUpper in~ (                    // Source account IS a known DC
    KnownDCNames | extend v = strcat(DC, "$") | project v
  )
| where not(toupper(Computer) in~ (KnownDCNames))   // Target host is NOT a DC
| where toupper(Computer) in~ (UnconstrainedHosts)  // && IS an unconstrained host
| extend
    CoercedDC              = SubjectUserName,
    UnconstrainedTarget    = Computer,
    Severity               = "Critical",
    WhySuspicious          = strcat(
        "UnconstrainedDelegation_Coercion_DC_TGT_Theft; ",
        "DC_", SubjectUserName, "_auth_to_unconstrained_host_", Computer, "; ",
        "DC_TGT_cached_on_target_extract_with_Rubeus; "
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    CoercedDC,
    UnconstrainedTarget,
    IpAddress,
    SubjectUserName,
    SubjectDomainName
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of security threat in an Active Directory environment, known as "Unconstrained Delegation Coercion." Here's a simplified explanation:

  1. Purpose: The query aims to identify suspicious authentication activities involving domain controllers (DCs) and hosts with unconstrained delegation settings. This could indicate a potential attack where an attacker coerces a DC to authenticate to a vulnerable host, allowing them to steal authentication tickets.

  2. Key Concepts:

    • Unconstrained Delegation: A setting that allows a server to impersonate users to other services. It's risky because it can expose sensitive credentials.
    • DC Authentication: The query looks for instances where a DC's machine account authenticates to a non-DC host with unconstrained delegation.
    • Event 4624 (Type 3 Kerberos): This event logs successful network logons using the Kerberos authentication protocol.

  3. Detection Logic:

    • Identify Unconstrained Hosts: The query first identifies hosts with the "TRUSTED_FOR_DELEGATION" flag set in their account settings within the last 14 days.
    • Identify Known DCs: It also identifies known domain controllers based on recent authentication events.
    • Monitor Authentication Events: The query then monitors for Kerberos authentication events (Event ID 4624) where a DC machine account logs onto an unconstrained host.
    • Check Conditions: It ensures the source account is a known DC and the target host is not a DC but is an unconstrained host.

  4. Output:

    • The query outputs details of suspicious activities, including the time of the event, the DC involved, the target host, and why the activity is considered suspicious.
    • It categorizes the severity as "Critical" and provides a reason for suspicion, indicating potential ticket theft using tools like Rubeus.

  5. Frequency: The query runs every 15 minutes, looking back over the past 15 minutes to catch recent suspicious activities.

Overall, this query helps security teams detect and respond to potential attacks involving unconstrained delegation and DC authentication, which could lead to unauthorized access and data breaches.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDevicesAuthenticationKerberosDomainControllerComputerAccountUserAccountControlMachineAccountHostTicketTGTRubeusDCSync

Operators

letagohassummarizetoupperendswithextendin~strcatprojectorder bydescwhere==!==~>orandnot

Actions