Query Details
Security Event Account Allowed To Delegate To KRBTGT Service
Query
SecurityEvent
| where EventData has "AllowedToDelegateTo"// and isempty(AllowedToDelegateTo)
| mv-apply Auxiliar = parse_xml(EventData)["EventData"]["Data"] on (
where tostring(Auxiliar["@Name"]) == "AllowedToDelegateTo"
| extend AllowedToDelegateTo = tostring(Auxiliar["#text"])
| where not(AllowedToDelegateTo == "-") and AllowedToDelegateTo contains "krbtgt"
)
| project
TimeGenerated,
Computer,
Account,
AccountType,
Activity,
TargetAccount,
AllowedToDelegateTo,
EventData
Explanation
This query is searching through security event data. It's looking for events where the "AllowedToDelegateTo" field is present in the EventData. It then parses the XML of the EventData to extract the "AllowedToDelegateTo" field. It filters out any instances where "AllowedToDelegateTo" is equal to "-" or does not contain "krbtgt". The final output of the query includes the time the event was generated, the computer where the event occurred, the account associated with the event, the account type, the activity, the target account, the "AllowedToDelegateTo" field, and the entire EventData.
Details
Jose Sebastián Canós
Released: January 3, 2023
Tables
SecurityEvent
Keywords
SecurityEvent,EventData,AllowedToDelegateTo,Auxiliar,TimeGenerated,Computer,Account,AccountType,Activity,TargetAccount
Operators
SecurityEventwherehasisemptymv-applyparse_xmltostringextendnotcontainsprojectTimeGeneratedComputerAccountAccountTypeActivityTargetAccountAllowedToDelegateToEventData.