Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
Sigma rule (View on GitHub)
1title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
2id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
3status: experimental
4description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
5references:
6 - https://pentestlab.blog/2022/03/21/unconstrained-delegation/
7 - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
8author: frack113
9date: 2025-03-05
10tags:
11 - attack.reconnaissance
12 - attack.discovery
13 - attack.credential-access
14 - attack.t1018
15 - attack.t1558
16 - attack.t1589.002
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enable'
21detection:
22 selection:
23 ScriptBlockText|contains:
24 - '-Properties*TrustedForDelegation'
25 - '-Properties*TrustedToAuthForDelegation'
26 - '-Properties*msDS-AllowedToDelegateTo'
27 - '-Properties*PrincipalsAllowedToDelegateToAccount'
28 - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
29 condition: selection
30falsepositives:
31 - Legitimate use of the library for administrative activity
32level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Bitbucket User Details Export Attempt Detected
- Antivirus Password Dumper Detection
- HackTool - Certipy Execution