From a28fe261abf62e72fc3fb6ca053ed980451cd664 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 5 Mar 2025 01:09:55 +0100 Subject: [PATCH] Update and rename posh_ps_unconstrained_delegation.yml to posh_ps_potential_unconstrained_delegation_discovery.yml --- ...ial_unconstrained_delegation_discovery.yml | 32 +++++++++++++++++ .../posh_ps_unconstrained_delegation.yml | 34 ------------------- 2 files changed, 32 insertions(+), 34 deletions(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml delete mode 100644 rules/windows/powershell/powershell_script/posh_ps_unconstrained_delegation.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml new file mode 100644 index 00000000000..bedb61e38a1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_potential_unconstrained_delegation_discovery.yml @@ -0,0 +1,32 @@ +title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock +id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5 +status: experimental +description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation. +references: + - https://pentestlab.blog/2022/03/21/unconstrained-delegation/ + - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps +author: frack113 +date: 2025-03-05 +tags: + - attack.reconnaissance + - attack.discovery + - attack.credential-access + - attack.t1018 + - attack.t1558 + - attack.t1589.002 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enable' +detection: + selection: + ScriptBlockText|contains: + - '-Properties*TrustedForDelegation' + - '-Properties*TrustedToAuthForDelegation' + - '-Properties*msDS-AllowedToDelegateTo' + - '-Properties*PrincipalsAllowedToDelegateToAccount' + - '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)' + condition: selection +falsepositives: + - Legitimate use of the library for administrative activity +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_unconstrained_delegation.yml b/rules/windows/powershell/powershell_script/posh_ps_unconstrained_delegation.yml deleted file mode 100644 index be1cc76ec61..00000000000 --- a/rules/windows/powershell/powershell_script/posh_ps_unconstrained_delegation.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Unconstrained Delegation Discovery -id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5 -status: experimental -description: Detects use of Get-ADComputer to find Unconstrained Delegation host -references: - - https://pentestlab.blog/2022/03/21/unconstrained-delegation/ - - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps -author: frack113 -date: 2024-06-22 -tags: - - attack.reconnaissance - - attack.discovery - - attack.credential-access - - attack.t1018 - - attack.t1558 - - attack.t1589.002 -logsource: - product: windows - category: ps_script - definition: Script Block Logging must be enable -detection: - selection_cmdlet: - ScriptBlockText|contains: 'Get-ADComputer' - selection_reco: - ScriptBlockText|contains: - - 'TrustedForDelegation' - - 'TrustedToAuthForDelegation' - - 'msDS-AllowedToDelegateTo' - - 'PrincipalsAllowedToDelegateToAccount' - - '(userAccountControl:1.2.840.113556.1.4.803:=524288)' - condition: all of selection_* -falsepositives: - - Legitimate use of the library for administrative activity -level: medium