Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Service Principal Name SPN Assigned to User Account

Back
Id875d0eb1-883a-4191-bd0e-dbfdeb95a464
RulenameService Principal Name (SPN) Assigned to User Account
DescriptionThis query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting.

This query checks for event id 5136, that the Object Class field is “user” and the LDAP Display Name is “servicePrincipalName”.

Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
Required data connectorsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
Version1.0.4
Arm template875d0eb1-883a-4191-bd0e-dbfdeb95a464.json
Deploy To Azure
SecurityEvent
| where EventID == 5136 
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
relevantTechniques:
- T1134
name: Service Principal Name (SPN) Assigned to User Account
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: SubjectAccount
  - identifier: Name
    columnName: SubjectUserName
  - identifier: NTDomain
    columnName: SubjectDomainName
  entityType: Account
- fieldMappings:
  - identifier: Sid
    columnName: SubjectUserSid
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
  entityType: Host
triggerThreshold: 0
id: 875d0eb1-883a-4191-bd0e-dbfdeb95a464
tactics:
- PrivilegeEscalation
version: 1.0.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
queryPeriod: 1h
kind: Scheduled
metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Vasileios Paschalidis
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1h
severity: Medium
description: |
  'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. 
  This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName".
  Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'  
query: |
  SecurityEvent
  | where EventID == 5136 
  | parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
  | parse EventData with * 'ObjectClass">' ObjectClass "<" *
  | where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
  | parse EventData with * 'ObjectDN">' ObjectDN "<" *
  | parse EventData with * 'AttributeValue">' AttributeValue "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
      "properties": {
        "alertRuleTemplateName": "875d0eb1-883a-4191-bd0e-dbfdeb95a464",
        "customDetails": null,
        "description": "'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \nThis query checks for event id 5136, that the Object Class field is \"user\" and the LDAP Display Name is \"servicePrincipalName\".\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'\n",
        "displayName": "Service Principal Name (SPN) Assigned to User Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "SubjectUserName",
                "identifier": "Name"
              },
              {
                "columnName": "SubjectDomainName",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectUserSid",
                "identifier": "Sid"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml",
        "query": "SecurityEvent\n| where EventID == 5136 \n| parse EventData with * 'AttributeLDAPDisplayName\">' AttributeLDAPDisplayName \"<\" *\n| parse EventData with * 'ObjectClass\">' ObjectClass \"<\" *\n| where AttributeLDAPDisplayName == \"servicePrincipalName\" and  ObjectClass == \"user\"\n| parse EventData with * 'ObjectDN\">' ObjectDN \"<\" *\n| parse EventData with * 'AttributeValue\">' AttributeValue \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| project-away DomainIndex\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}