Techniques
Sample rules
ServicePrincipalNames Discovery with SetSPN
- source: splunk
- technicques:
- T1558.003
Description
The following analytic identifies setspn.exe usage related to querying the domain for Service Principle Names. typically, this is a precursor activity related to kerberoasting or the silver ticket attack.
What is a ServicePrincipleName?
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
Example usage includes the following
- setspn -T offense -Q / 1. setspn -T attackrange.local -F -Q MSSQLSvc/* 1. setspn -Q / > allspns.txt 1. setspn -q Values
- -F = perform queries at the forest, rather than domain level 1. -T = perform query on the specified domain or forest (when -F is also used) 1. -Q = query for existence of SPN During triage, review parallel processes for further suspicious activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_setspn` (Processes.process="*-t*" AND Processes.process="*-f*") OR (Processes.process="*-q*" AND Processes.process="**/**") OR (Processes.process="*-q*") OR (Processes.process="*-s*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `serviceprincipalnames_discovery_with_setspn_filter`