LoFP / a service principal name should only be added to an account when an application requires it. adding an spn and quickly deleting it is less common but may be part of legitimate action. filter as needed.

• T1098

Sample rules

Windows AD Short Lived Domain Account ServicePrincipalName

• source: splunk
• technicques:
  • T1098

Description

The following analytic identifies the addition of a Service Principal Name to a domain account that is quickly deleted within 5 minutes or less. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Service Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password. To clean things up, the adversary may delete the SPN which will trigger this detection.

Detection logic

 `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName 
| transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675") 
| eval short_lived=case((duration<300),"TRUE") 
| search short_lived = TRUE 
| rename ObjectDN as user 
| `windows_ad_short_lived_domain_account_serviceprincipalname_filter`

Windows AD ServicePrincipalName Added To Domain Account

• source: splunk
• technicques:
  • T1098

Description

The following analytic identifies the addition of a Service Principal Name to a domain account. While this event may be part of a legitimate action part of certain administrative operations, it may also be evidence of a persistence attack. Domain accounts with Servce Principal Names are vulnerable to a technique called Kerberoasting that enables attackers to potentially obtain the cleartext password of the account by performing offline cracking. An adversary who has obtained privileged access to a domain environment may add an SPN to a privileged account to then leverage the Kerberoasting technique and attempt to obtain its clertext password.

Detection logic

 `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" 
| stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue 
| rename Computer as dest SubjectUserName as user 
| `windows_ad_serviceprincipalname_added_to_domain_account_filter`