splApache-2.0from splunk/security_content

ServicePrincipalNames Discovery with PowerShell

The following analytic detects the use of `powershell.exe` to query the domain for Service Principal Names (SPNs) using Script Block Logging EventCode 4104. It identifies the use of the KerberosRequestorSecurityToken class within the script block, which is equivalent to using setspn.exe. This activity is significant as it often precedes kerberoasting or silver ticket attacks, which can lead to credential theft. If confirmed malicious, attackers could leverage this information to escalate privileges or persist within the environment.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/serviceprincipalnames_discovery_with_powershell.yml

`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `serviceprincipalnames_discovery_with_powershell_filter`