Name:Windows PowerView Constrained Delegation Discovery id:86dc8176-6e6c-42d6-9684-5444c6557ab3 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_constrained_delegation_discovery_filter`
how_to_implement:The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives:Administrators or power users may leverage PowerView for system management or troubleshooting. References: -https://attack.mitre.org/techniques/T1018/ -https://adsecurity.org/?p=1667 -https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unconstrained-kerberos -https://www.guidepointsecurity.com/blog/delegating-like-a-boss-abusing-kerberos-delegation-in-active-directory/ -https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/constrained-delegation -https://www.cyberark.com/resources/threat-research-blog/weakness-within-kerberos-delegation drilldown_searches: name:'View the detection results for - "$dest$" and "$user$"' search:'%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CISA AA23-347A' - 'Rhysida Ransomware' - 'Active Directory Kerberos Attacks' asset_type:Endpoint confidence:70 impact:50 message:Suspicious PowerShell Get-DomainComputer was identified on endpoint $dest$ mitre_attack_id: - 'T1018' observable: name:'dest' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'ScriptBlockText' - 'Computer' - 'UserID' risk_score:35 security_domain:endpoint
