sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Unconstrained delegation

Open frack113 opened this issue 1 year ago • 0 comments

Summary of the Pull Request

the attacker can search for computers with Unconstrained Delegation https://pentestlab.blog/2022/03/21/unconstrained-delegation/

Changelog

new: Unconstrained Delegation Discovery

Example Log Event

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2024-06-23T13:41:11.0019609Z" /> 
  <EventRecordID>1986589</EventRecordID> 
  <Correlation ActivityID="{23195ebf-c570-0000-8df6-1c2370c5da01}" /> 
  <Execution ProcessID="7732" ThreadID="8820" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>Win11.lab.local</Computer> 
  <Security UserID="S-1-5-21-888117185-644776935-3477416708-1103" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description</Data> 
  <Data Name="ScriptBlockId">80c53328-ce7c-4982-8ea5-2215aba28d2a</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

frack113 avatar Jun 23 '24 14:06 frack113