detection.wiki

Detection rules › Elastic

User account exposed to Kerberoasting

Author
Elastic
Source
upstream

Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation
Privilege EscalationT1098 Account Manipulation
Credential AccessT1558 Steal or Forge Kerberos Tickets, T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

Event coverage

ProviderEvent IDTitle
Security-Auditing5136A directory service object was modified.

Stages and Predicates

Stage 1: kql:query

winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" and winlog.event_data.ObjectClass:"user" and winlog.event_data.OperationType:"%%14674"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
winlog.event_data.AttributeLDAPDisplayNameeq
  • servicePrincipalName corpus 6 (splunk 3, sigma 2, elastic 1)
winlog.event_data.ObjectClasseq
  • user corpus 4 (splunk 2, sigma 1, elastic 1)
winlog.event_data.OperationTypeeq
  • %%14674 corpus 4 (elastic 3, splunk 1)