Open frack113 opened 5 days ago
the attacker can search for computers with Unconstrained Delegation https://pentestlab.blog/2022/03/21/unconstrained-delegation/
new: Unconstrained Delegation Discovery
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> <EventID>4104</EventID> <Version>1</Version> <Level>5</Level> <Task>2</Task> <Opcode>15</Opcode> <Keywords>0x0</Keywords> <TimeCreated SystemTime="2024-06-23T13:41:11.0019609Z" /> <EventRecordID>1986589</EventRecordID> <Correlation ActivityID="{23195ebf-c570-0000-8df6-1c2370c5da01}" /> <Execution ProcessID="7732" ThreadID="8820" /> <Channel>Microsoft-Windows-PowerShell/Operational</Channel> <Computer>Win11.lab.local</Computer> <Security UserID="S-1-5-21-888117185-644776935-3477416708-1103" /> </System> - <EventData> <Data Name="MessageNumber">1</Data> <Data Name="MessageTotal">1</Data> <Data Name="ScriptBlockText">Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description</Data> <Data Name="ScriptBlockId">80c53328-ce7c-4982-8ea5-2215aba28d2a</Data> <Data Name="Path" /> </EventData> </Event>
Summary of the Pull Request
the attacker can search for computers with Unconstrained Delegation https://pentestlab.blog/2022/03/21/unconstrained-delegation/
Changelog
new: Unconstrained Delegation Discovery
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions