splApache-2.0from splunk/security_content
Windows AD ServicePrincipalName Added To Domain Account
The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml
`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" ObjectClass=user | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue | rex field=ObjectDN "^CN=(?P<user>[a-zA-Z0-9!#$%&'@^_{}~.-]+)," | rename Computer as dest, SubjectUserName as src_user | `windows_ad_serviceprincipalname_added_to_domain_account_filter`