Service Principal Name SPN Assigned to User Account
| Id | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 |
| Rulename | Service Principal Name (SPN) Assigned to User Account |
| Description | This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is “user” and the LDAP Display Name is “servicePrincipalName”. Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml |
| Version | 1.0.4 |
| Arm template | 875d0eb1-883a-4191-bd0e-dbfdeb95a464.json |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
triggerThreshold: 0
relevantTechniques:
- T1134
queryPeriod: 1h
version: 1.0.4
id: 875d0eb1-883a-4191-bd0e-dbfdeb95a464
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
query: |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
metadata:
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
author:
name: Vasileios Paschalidis
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: SubjectAccount
- identifier: Name
columnName: SubjectUserName
- identifier: NTDomain
columnName: SubjectDomainName
entityType: Account
- fieldMappings:
- identifier: Sid
columnName: SubjectUserSid
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
entityType: Host
tactics:
- PrivilegeEscalation
severity: Medium
name: Service Principal Name (SPN) Assigned to User Account
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: |
'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting.
This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName".
Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
"properties": {
"alertRuleTemplateName": "875d0eb1-883a-4191-bd0e-dbfdeb95a464",
"customDetails": null,
"description": "'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \nThis query checks for event id 5136, that the Object Class field is \"user\" and the LDAP Display Name is \"servicePrincipalName\".\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'\n",
"displayName": "Service Principal Name (SPN) Assigned to User Account",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectAccount",
"identifier": "FullName"
},
{
"columnName": "SubjectUserName",
"identifier": "Name"
},
{
"columnName": "SubjectDomainName",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectUserSid",
"identifier": "Sid"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "NTDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml",
"query": "SecurityEvent\n| where EventID == 5136 \n| parse EventData with * 'AttributeLDAPDisplayName\">' AttributeLDAPDisplayName \"<\" *\n| parse EventData with * 'ObjectClass\">' ObjectClass \"<\" *\n| where AttributeLDAPDisplayName == \"servicePrincipalName\" and ObjectClass == \"user\"\n| parse EventData with * 'ObjectDN\">' ObjectDN \"<\" *\n| parse EventData with * 'AttributeValue\">' AttributeValue \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| project-away DomainIndex\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}