From 41f5ebc403276b3bfd2083594e907b82c5ebdc9c Mon Sep 17 00:00:00 2001
From: David Vassallo <davevassallo@gmail.com>
Date: Fri, 7 Jun 2019 13:29:45 +0300
Subject: [PATCH 1/2] Update win_alert_ad_user_backdoors.yml

the original rule generates false positives if the "AllowedToDelegateTo" is set to "-". This seems to be a common occurrence, hence my proposed addition
---
 rules/windows/builtin/win_alert_ad_user_backdoors.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index c3bd5fbd..27055e1c 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -19,6 +19,7 @@ detection:
         EventID: 4738
     filter1:
         AllowedToDelegateTo: null
+        AllowedToDelegateTo: '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'

From a47ec859a82e6c830e3bb8b75fda0c83b984ce69 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Wed, 19 Jun 2019 08:20:41 +0200
Subject: [PATCH 2/2] List for field 'AllowedToDelegateTo'

---
 rules/windows/builtin/win_alert_ad_user_backdoors.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/win_alert_ad_user_backdoors.yml b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
index 27055e1c..1ff68cd9 100644
--- a/rules/windows/builtin/win_alert_ad_user_backdoors.yml
+++ b/rules/windows/builtin/win_alert_ad_user_backdoors.yml
@@ -18,8 +18,9 @@ detection:
     selection1:
         EventID: 4738
     filter1:
-        AllowedToDelegateTo: null
-        AllowedToDelegateTo: '-'
+        AllowedToDelegateTo: 
+            - null
+            - '-'
     selection2:
         EventID: 5136
         AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'