LoFP / administration activity

Techniques

Sample rules

Potential SPN Enumeration Via Setspn.EXE

source: sigma
technicques:
- t1558
- t1558.003

Description

Detects service principal name (SPN) enumeration used for Kerberoasting

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - ' -q '
  - ' /q '
selection_pe:
- Image|endswith: \setspn.exe
- OriginalFileName: setspn.exe
- Description|contains|all:
  - Query or reset the computer
  - SPN attribute