Windows AD Short Lived Domain Account ServicePrincipalName

Author: Mauricio Velazco, Splunk
Source: upstream

The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1098` Account Manipulation
Privilege Escalation	`T1098` Account Manipulation

Event coverage

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.

Stages and Predicates

Stage 1: `search`

search AttributeLDAPDisplayName="servicePrincipalName" EventCode=5136

Stage 2: `transaction`

transaction ObjectDN, AttributeValue endswith=EventCode = 5136 OperationType = "%%14675" startswith=EventCode = 5136 OperationType = "%%14674"

Stage 3: `eval`

eval ... using (duration)

Stage 4: `search`

search short_lived=TRUE

Stage 5: `rename`

rename

Stage 6: `rename`

rename

Stage 7: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AttributeLDAPDisplayName`	eq	`servicePrincipalName` corpus 6 (splunk 3, sigma 2, elastic 1)
`EventCode`	eq	`5136` corpus 22 (splunk 22)
`short_lived`	eq	`TRUE` corpus 4 (splunk 4)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows AD ServicePrincipalName Added To Domain Account [splunk] (adds 2 filters) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Windows AD Dangerous Deny ACL Modification [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Object Owner Updated [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Windows AD Self DACL Assignment [splunk] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)

Windows AD Short Lived Domain Account ServicePrincipalName

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: transaction

Stage 3: eval

Stage 4: search

Stage 5: rename

Stage 6: rename

Stage 7: search