This note documents detection patterns related to Resource Based Constrained Delegation within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5136 | Directory object modified | Critical | Primary indicator. Review modifications to msDS-AllowedToActOnBehalfOfOtherIdentity attribute on computer objects. This attribute enables Resource Based Constrained Delegation (RBCD). |
| Security | 4741 | Computer account created | High | Attackers often create a new machine account to use in RBCD attacks. |
| Security | 4742 | Computer account changed | High | Modification of computer object attributes may indicate RBCD preparation. |
| Security | 4769 | Kerberos service ticket request | High | Unusual service ticket requests after RBCD configuration may indicate impersonation via S4U2Proxy. |
| Security | 4624 | Successful logon | High | LogonType 3 or 9 may appear when delegated authentication is used for lateral movement. |
| Security | 4688 | Process creation | Medium | Execution of tools capable of abusing RBCD such as Rubeus or Impacket. |
| Sysmon | 1 | Process creation | High | Look for execution of Rubeus, PowerShell scripts, or Impacket utilities. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Modification of delegation attributes | Changes to msDS-AllowedToActOnBehalfOfOtherIdentity | Critical | Core configuration change enabling RBCD. |
| New machine accounts | Creation of machine accounts outside normal provisioning workflows | High | Attackers often create rogue machine accounts to exploit RBCD. |
| Service ticket requests from unexpected hosts | Kerberos ticket requests originating from unusual workstations | High | Often attacker-controlled host performing impersonation. |
| Service account impersonation | Service accounts requesting tickets for privileged users | High | Indicates possible abuse of delegation. |
| Unexpected lateral movement | Authentication events shortly after RBCD configuration | High | Attackers often pivot immediately after configuring RBCD. |
Common Tools
| Tool | Usage |
|---|---|
| Impacket (rbcd.py / getST.py) | Used to configure and exploit resource based constrained delegation. |
| Rubeus | Supports S4U operations used after RBCD configuration. |
| PowerView | Used to modify AD attributes including delegation settings. |
| BloodHound / SharpHound | Identifies RBCD abuse paths within Active Directory. |
| Cobalt Strike | Used to execute Kerberos ticket abuse modules. |
Relevant Artifacts
- Domain controller Security logs (5136, 4741, 4742, 4769)
- Directory Service logs
- Sysmon logs (1)
- AD attribute change history
- Delegation attributes on computer objects
- EDR telemetry identifying Kerberos abuse tooling
- Prefetch artifacts showing execution of exploitation tools
- MFT artifacts indicating tool deployment
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1550 Use Alternate Authentication Material
- T1134 Access Token Manipulation
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for Event 5136 modifying msDS-AllowedToActOnBehalfOfOtherIdentity.
- What host generated the event?
- Identify the system modifying the computer object in Active Directory.
- Is the account expected to perform this action?
- Normally only domain administrators modify delegation attributes.
- Pivot:
- Source host → inspect process execution and administrative tools.
- Account → review privilege escalation or machine account creation.
- Network → identify Kerberos service ticket requests following modification.
- Confirm exploitation
- Determine whether attacker used delegated access to authenticate to other systems.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5136
| where AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
| project TimeGenerated, SubjectUserName, ObjectDN
SecurityEvent
| where EventID == 4741
| project TimeGenerated, TargetUserName, SubjectUserName, Computer
EQL
any where event.code == "5136" and winlog.event_data.AttributeLDAPDisplayName == "msDS-AllowedToActOnBehalfOfOtherIdentity"
Sigma
title: Resource Based Constrained Delegation Configuration
id: rbcd-attribute-modification
status: experimental
description: Detects modification of msDS-AllowedToActOnBehalfOfOtherIdentity attribute
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: "msDS-AllowedToActOnBehalfOfOtherIdentity"
condition: selection
fields:
- SubjectUserName
- ObjectDN
falsepositives:
- Legitimate delegation configuration changes by administrators
level: high
tags:
- attack.credential_access
- attack.t1558
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Machine account creation | Restrict ability to create computer objects in AD | High | Prevents attackers from introducing rogue machine accounts. |
| Delegation auditing | Monitor changes to delegation-related attributes | High | Early detection of RBCD configuration. |
| Least privilege | Limit rights that allow modification of computer objects | High | Reduces attack surface. |
| Privileged account monitoring | Alert on admin actions modifying delegation settings | High | Detects misuse of privileged accounts. |
| Security reviews | Regularly audit delegation configurations across AD | High | Helps identify risky configurations. |