Windows AD ServicePrincipalName Added To Domain Account

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic detects the addition of a Service Principal Name (SPN) to a domain account. It leverages Windows Event Code 5136 and monitors changes to the servicePrincipalName attribute. This activity is significant because it may indicate an attempt to perform Kerberoasting, a technique where attackers extract and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `search`

search AttributeLDAPDisplayName="servicePrincipalName" EventCode=5136 ObjectClass="user" OperationType="%%14674"

Stage 2: `stats`

stats BY _time, Computer, SubjectUserName, AttributeValue

Stage 3: `rex`

rex field=ObjectDN ...

Stage 4: `rename`

rename

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`servicePrincipalName` corpus 6 (splunk 3, sigma 2, elastic 1)
`EventCode`	eq	`5136` corpus 22 (splunk 22)
`ObjectClass`	eq	`user` corpus 4 (splunk 2, sigma 1, elastic 1)
`OperationType`	eq	`"%%14674"` corpus 3 (splunk 3)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Windows AD Dangerous Deny ACL Modification [splunk] (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Object Owner Updated [splunk] (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Self DACL Assignment [splunk] (drops 3 filters this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Dangerous User ACL Modification [splunk] (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Short Lived Domain Account ServicePrincipalName [splunk] (drops 2 filters this rule applies) (first-stage match only; downstream stages may differ)