Query Details
Security Event Unconstrained Delegation Enabled
Query
//Detects when unconstrained kerberos delegation is enabled on a computer object //Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent SecurityEvent | where EventID == "4742" | parse EventData with * 'NewUacValue">' NewUacValue '</Data>' * | parse EventData with * 'TargetUserName">' ComputerName '</Data>' * | parse EventData with * 'SubjectUserName">' Actor '</Data>' * | where NewUacValue == "0x2080" | project TimeGenerated, Activity, ComputerName, Actor
Explanation
This query detects when unconstrained Kerberos delegation is enabled on a computer object. It looks for Security Events with Event ID 4742 and then parses the EventData to extract the NewUacValue, TargetUserName, and SubjectUserName. It filters for events where the NewUacValue is "0x2080" and projects the TimeGenerated, Activity, ComputerName, and Actor fields.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
SecurityEvent,EventID,EventData,NewUacValue,TargetUserName,ComputerName,SubjectUserName,Actor,TimeGenerated,Activity
Operators
| whereEventID=="4742"
| parseEventDatawith*'NewUacValue">',NewUacValue'</Data>',*
| parseEventDatawith*'TargetUserName">',ComputerName'</Data>',*
| parseEventDatawith*'SubjectUserName">',Actor'</Data>',*
| whereNewUacValue=="0x2080"
| projectTimeGeneratedActivityComputerNameActor