Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.

Sigma rule (View on GitHub)

 1title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
 2id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
 3status: experimental
 4description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
 5references:
 6    - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
 7    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
 8author: frack113
 9date: 2025-03-05
10tags:
11    - attack.reconnaissance
12    - attack.discovery
13    - attack.credential-access
14    - attack.t1018
15    - attack.t1558
16    - attack.t1589.002
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enable'
21detection:
22    selection:
23        ScriptBlockText|contains:
24            - '-Properties*TrustedForDelegation'
25            - '-Properties*TrustedToAuthForDelegation'
26            - '-Properties*msDS-AllowedToDelegateTo'
27            - '-Properties*PrincipalsAllowedToDelegateToAccount'
28            - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
29    condition: selection
30falsepositives:
31    - Legitimate use of the library for administrative activity
32level: medium

References

Related rules

to-top