Potential SPN Enumeration Via Setspn.EXE
Detects service principal name (SPN) enumeration used for Kerberoasting
Sigma rule (View on GitHub)
1title: Potential SPN Enumeration Via Setspn.EXE
2id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
3status: test
4description: Detects service principal name (SPN) enumeration used for Kerberoasting
5references:
6 - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
7 - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
8author: Markus Neis, keepwatch
9date: 2018-11-14
10modified: 2023-10-23
11tags:
12 - attack.credential-access
13 - attack.t1558.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_pe:
19 - Image|endswith: '\setspn.exe'
20 - OriginalFileName: 'setspn.exe'
21 - Description|contains|all:
22 - 'Query or reset the computer'
23 - 'SPN attribute'
24 selection_cli:
25 CommandLine|contains:
26 - ' -q '
27 - ' /q '
28 condition: all of selection_*
29falsepositives:
30 - Administration activity
31level: medium
References
-
In our experience, Kerberoasting is an attack that is similar to others in that defenders need to fully under it to be able to properly migrate the risks. It’s our goal that through pushing this content into the MITRE ATT&CK framework we have increased the awareness of this TTP so that organizations can be better protected in the future.
Read More -
In our experience, Kerberoasting is an attack that is similar to others in that defenders need to fully under it to be able to properly migrate the risks. It’s our goal that through pushing this content into the MITRE ATT&CK framework we have increased the awareness of this TTP so that organizations can be better protected in the future.
Read More
Related rules
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock