Enable Unconstrained Kerberos Delegation

%3CLINGO-SUB%20id%3D%22lingo-sub-768974%22%20slang%3D%22en-US%22%3EEnable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-768974%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBy%20default%20the%20group%20''Account%20Operators''%20is%20often%20used%2C%20despite%20that%20Microsoft%20recommend%20it%20to%20keep%20it%20empty%2C%20but%20this%20group%20has%20wide%20permissions%20in%20the%20domain.%20All%20the%20users%20in%20Account%20Operators%20could%20enable%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.cyberark.com%2Fthreat-research-blog%2Fweakness-within-kerberos-delegation%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EUnconstrained%20Kerberos%20Delegation%3C%2FSTRONG%3E%3C%2FA%3Eon%20servers%2C%20because%20they%20are%20granted%20the%20GenericAll%20permission%20on%20these%20computer%20objects.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20to%20find%20some%20additional%20information%20about%20it%20to%20see%20if%20ATA%20picks%20this%20up.%20I%20couldn't%20find%20it%2C%20but%20there%20could%20be%20a%20chance%20that%20I%20just%20overlooked%20it.%20So%20I%20was%20wondering%20if%20you%20guys%20would%20detect%2C%20when%20someone%20decided%20to%20turn%20this%20setting%20on%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20366px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124154i5643626F3DB9937E%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22unconstrained.png%22%20title%3D%22unconstrained.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20event%20log%20that%20will%20be%20generated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20524px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124155i902728A52AD61081%2Fimage-dimensions%2F524x180%3Fv%3D1.0%22%20width%3D%22524%22%20height%3D%22180%22%20alt%3D%224742.png%22%20title%3D%224742.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20568px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F124156i97A8A2E0B76E77FF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22enabled.png%22%20title%3D%22enabled.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769043%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769043%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3B%2C%20as%20far%20as%20I%20know%20there%20is%20no%20such%20detection.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%2C%20Can%20you%20confirm%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eyou%20can%20find%20a%20list%20of%20alert%20types%20in%20this%20link%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsuspicious-activity-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsuspicious-activity-guide%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20updated%20from%20time%20to%20time%20when%20we%20add%20more%20detections.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769045%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3EDo%20you%20consider%20to%20add%20this%20detection%20rule%20to%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769046%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769046%22%20slang%3D%22en-US%22%3E%3CP%3EI%20will%20let%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3B%20comment%20on%20that%20as%20this%20is%20a%20product%20decision%2C%20and%20she%20might%20know%20if%20this%20is%20somewhere%20in%20the%20roadmap.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769047%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769047%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F215466%22%20target%3D%22_blank%22%3E%40Or%20Tsemah%3C%2FA%3E%26nbsp%3BCan%20you%20please%20share%20with%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3Bthe%20relevant%20identity%20security%20posture%20reports%3F%3C%2FP%3E%0A%3CP%3EHuy%2C%20what%20you%20are%20suggesting%20is%20covered%20by%20reports%20and%20not%20alerts%2C%20as%20it%20is%20more%20relevant%20for%20dangerous%20configurations%20in%20the%20environment%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-769057%22%20slang%3D%22en-US%22%3ERe%3A%20Enable%20Unconstrained%20Kerberos%20Delegation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-769057%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F380287%22%20target%3D%22_blank%22%3E%40huy_kha%3C%2FA%3E%26nbsp%3BI%20can%20confirm%20that%20this%20feature%20(Exposing%20which%20entity%20has%20an%20unsecure%20kerberos%20delegation%20such%20as%20Unconstrained%20or%20some%20variations%20of%20constrained%5Cresource%20based%20delegations)%20is%20in%20private%20preview%20and%20i%26nbsp%3Bhope%20to%20share%20some%20information%20about%20its%20release%20soon.%3C%2FP%3E%0A%3CP%3EIf%20you%20would%20like%20to%20know%20more%2C%20you%20can%20contact%20me%20directly.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Deleted
Not applicable

Hi there,

 

By default the group ''Account Operators'' is often used, despite that Microsoft recommend it to keep it empty, but this group has wide permissions in the domain. All the users in Account Operators could enable the Unconstrained Kerberos Delegation on servers, because they are granted the GenericAll permission on these computer objects.

 

I tried to find some additional information about it to see if ATA picks this up. I couldn't find it, but there could be a chance that I just overlooked it. So I was wondering if you guys would detect, when someone decided to turn this setting on?

 

unconstrained.png

 

Here is the event log that will be generated.

 

4742.png

 

enabled.png

 

5 Replies
Highlighted

@Deleted , as far as I know there is no such detection.

@Tali Ash , Can you confirm?

 

you can find a list of alert types in this link:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide

This is updated from time to time when we add more detections.

Highlighted

@Eli OfekDo you consider to add this detection rule to it?

Highlighted

I will let @Tali Ash  comment on that as this is a product decision, and she might know if this is somewhere in the roadmap.

Highlighted

@Or Tsemah Can you please share with @Deleted the relevant identity security posture reports?

Huy, what you are suggesting is covered by reports and not alerts, as it is more relevant for dangerous configurations in the environment,

Highlighted

@Deleted I can confirm that this feature (Exposing which entity has an unsecure kerberos delegation such as Unconstrained or some variations of constrained\resource based delegations) is in private preview and i hope to share some information about its release soon.

If you would like to know more, you can contact me directly.