Sample rules
Windows AD Short Lived Domain Account ServicePrincipalName
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.
Detection logic
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName
| transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675")
| eval short_lived=case((duration<300),"TRUE")
| search short_lived = TRUE
| rename ObjectDN as user
| `windows_ad_short_lived_domain_account_serviceprincipalname_filter`
Windows AD ServicePrincipalName Added To Domain Account
- source: splunk
- technicques:
- T1098
Description
The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password.
Detection logic
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674"
| stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue
| rename Computer as dest SubjectUserName as user
| `windows_ad_serviceprincipalname_added_to_domain_account_filter`