Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock

Original Source: [Sigma source]
Title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Status: experimental
Description:Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
References:
  -https://pentestlab.blog/2022/03/21/unconstrained-delegation/
   -https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
 Author: frack113
Date: 2025-03-05
modified:None
Tags:
  • -'attack.reconnaissance'
  • -'attack.discovery'
  • -'attack.credential-access'
  • -'attack.t1018'
  • -'attack.t1558'
  • -'attack.t1589.002'
Logsource:
  • product: windows
  • category: ps_script
  • definition: Requirements: Script Block Logging must be enable
Detection:
  selection:
    ScriptBlockText|contains:
      -'-Properties*TrustedForDelegation'
      -'-Properties*TrustedToAuthForDelegation'
      -'-Properties*msDS-AllowedToDelegateTo'
      -'-Properties*PrincipalsAllowedToDelegateToAccount'
      -'-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'

  condition:selection
Falsepositives:
  -Legitimate use of the library for administrative activity
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.