Techniques
Sample rules
Windows Computer Account With SPN
- source: splunk
- technicques:
- T1558
Description
The following analytic identifies two SPNs, HOST and RestrictedKrbHost, added using the KrbRelayUp behavior. This particular behavior has been found in other Kerberos based attacks.
Detection logic
`wineventlog_security` EventCode=4741 NewUacValue="0x80" ServicePrincipalNames IN ("*HOST/*","*RestrictedKrbHost/*")
| stats count min(_time) as firstTime max(_time) as lastTime values(EventCode),values(TargetDomainName),values(PrimaryGroupId), values(OldUacValue), values(NewUacValue),values(SamAccountName),values(DnsHostName),values(ServicePrincipalNames) by dest Logon_ID subject
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_with_spn_filter`