Techniques
Sample rules
Windows Computer Account Created by Computer Account
- source: splunk
- technicques:
- T1558
Description
The following analytic identifes a Computer Account creating a new Computer Account with specific a Service Principle Name - “RestrictedKrbHost”. The RestrictedKrbHost service class allows client applications to use Kerberos authentication when they do not have the identity of the service but have the server name.
Detection logic
`wineventlog_security` EventCode=4741 user_type=computer SubjectDomainName!="NT AUTHORITY" ServicePrincipalNames=*RestrictedKrbHost*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, subject, action ,src_user, user, user_type, SubjectUserName,SubjectDomainName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_created_by_computer_account_filter`