Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects Active Directory user account backdoor configurations through delegation settings and LDAP attribute modifications.

Strategy

This rule monitors Active Directory user account modifications related to delegation permissions and service principal names. The detection tracks user account modifications through event ID 4738 when delegation permissions are modified, and event ID 5136 for LDAP attribute changes including msDS-AllowedToDelegateTo, msDS-AllowedToActOnBehalfOfOtherIdentity, and servicePrincipalName attributes. These modifications can enable unauthorized access and impersonation capabilities within the Active Directory environment.

Triage & Response

• Examine the modified user account properties and determine if the delegation permissions were authorized by reviewing the {{@usr.id}} making the changes.
• Validate if the service principal name changes on the affected user accounts align with legitimate business requirements.
• Review the delegation targets specified in AllowedToDelegateTo attributes to ensure they are authorized services.
• Analyze authentication patterns for the modified accounts to identify any suspicious delegation or impersonation activity.
• Restrict delegation permissions to only necessary service accounts.