← Library
kqlElastic-2.0from elastic/detection-rules

User account exposed to Kerberoasting

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1558T1558.003T1098
Rule sourcerules/windows/credential_access_spn_attribute_modified.toml
event.code:5136 and host.os.type:"windows" and winlog.event_data.OperationType:"%%14674" and
  winlog.event_data.ObjectClass:"user" and
  winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName"