Detection rules › Kusto Query Language

Service Principal Name (SPN) Assigned to User Account

Author: Vasileios Paschalidis
Source: upstream

'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName". Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'

MITRE ATT&CK coverage

Tactic	Techniques
Privilege Escalation	`T1134` Access Token Manipulation
Defense Evasion	`T1134` Access Token Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `source`

SecurityEvent

Stage 2: `where`

EventID eq "5136"

Stage 3: `parse`

Stage 4: `parse`

Stage 5: `where`

and
  AttributeLDAPDisplayName eq "servicePrincipalName"
  ObjectClass eq "user"

Stage 6: `parse`

Stage 7: `parse`

Stage 8: `summarize`

Stage 9: `extend`

Stage 10: `extend`

Stage 11: `project-away`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`servicePrincipalName` corpus 6 (splunk 3, sigma 2, elastic 1)
`EventID`	eq	`5136` corpus 22 (splunk 22)
`ObjectClass`	eq	`user` corpus 4 (splunk 2, sigma 1, elastic 1)

Service Principal Name (SPN) Assigned to User Account

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: parse

Stage 4: parse

Stage 5: where

Stage 6: parse

Stage 7: parse

Stage 8: summarize

Stage 9: extend

Stage 10: extend

Stage 11: project-away