Security Event Potenial Resource Based Constrained Delegation Abuse
Query
SecurityEvent
| where EventID == 5136 and EventData has_all ("msDS-AllowedToActOnBehalfOfOtherIdentity")//, "computer")
| mv-apply Auxiliar = parse_xml(EventData)["EventData"]["Data"] on (
summarize BagToUnpack = make_bag(bag_pack(tostring(Auxiliar["@Name"]), tostring(Auxiliar["#text"])))
)
| evaluate bag_unpack(BagToUnpack, columnsConflict="keep_source"): (TimeGenerated: datetime, Computer: string, Account: string, AccountType: string, SubjectLogonId: string, Activity: string, OperationType: string, EventData: string, ObjectClass: string, ObjectDN: string, AttributeLDAPDisplayName: string, AttributeValue: string)
| where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"// and ObjectClass == "computer"
| project
TimeGenerated,
Computer,
Account,
AccountType,
Activity,
OperationType,
ObjectClass,
ObjectDN,
AttributeLDAPDisplayName,
AttributeValue,
SubjectLogonId,
EventDataExplanation
This query is looking at security events, specifically those with an Event ID of 5136 and that contain the term "msDS-AllowedToActOnBehalfOfOtherIdentity" in their Event Data. It then parses the XML data within the Event Data and creates a bag (a collection of key-value pairs) from the parsed data.
The query then unpacks the bag and creates a new table with specific columns such as TimeGenerated, Computer, Account, AccountType, etc. It filters this table to only include rows where the AttributeLDAPDisplayName is "msDS-AllowedToActOnBehalfOfOtherIdentity".
Finally, it projects (or selects) specific columns to be displayed in the final output. These columns include TimeGenerated, Computer, Account, AccountType, Activity, OperationType, ObjectClass, ObjectDN, AttributeLDAPDisplayName, AttributeValue, SubjectLogonId, and EventData.
Details

Jose Sebastián Canós
Released: March 14, 2023
Tables
Keywords
Operators