Potential SPN Enumeration Via Setspn.EXE
Detects service principal name (SPN) enumeration used for Kerberoasting
Sigma rule (View on GitHub)
1title: Potential SPN Enumeration Via Setspn.EXE
2id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
3status: test
4description: Detects service principal name (SPN) enumeration used for Kerberoasting
5references:
6 - https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
7 - https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
8author: Markus Neis, keepwatch
9date: 2018/11/14
10modified: 2023/10/23
11tags:
12 - attack.credential_access
13 - attack.t1558.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_pe:
19 - Image|endswith: '\setspn.exe'
20 - OriginalFileName: 'setspn.exe'
21 - Description|contains|all:
22 - 'Query or reset the computer'
23 - 'SPN attribute'
24 selection_cli:
25 CommandLine|contains:
26 - ' -q '
27 - ' /q '
28 condition: all of selection_*
29falsepositives:
30 - Administration activity
31level: medium
References
-
In our experience, Kerberoasting is an attack that is similar to others in that defenders need to fully under it to be able to properly migrate the risks. It’s our goal that through pushing this content into the MITRE ATT&CK framework we have increased the awareness of this TTP so that organizations can be better protected in the future.
Read More -
Kerberoasting privilege escalation is an attack method that defenders need to fully understand to properly migrate the risks.
Read More
Related rules
- HackTool - Rubeus Execution
- Suspicious Kerberos RC4 Ticket Encryption
- Potential CVE-2021-42278 Exploitation Attempt
- Possible Impacket GetUserSPNs Activity
- Potential CVE-2021-42287 Exploitation Attempt