Service Principal Name SPN Assigned to User Account
| Id | 875d0eb1-883a-4191-bd0e-dbfdeb95a464 |
| Rulename | Service Principal Name (SPN) Assigned to User Account |
| Description | This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. This query checks for event id 5136, that the Object Class field is “user” and the LDAP Display Name is “servicePrincipalName”. Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 |
| Required data connectors | SecurityEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml |
| Version | 1.0.4 |
| Arm template | 875d0eb1-883a-4191-bd0e-dbfdeb95a464.json |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
triggerOperator: gt
triggerThreshold: 0
name: Service Principal Name (SPN) Assigned to User Account
metadata:
support:
tier: Community
categories:
domains:
- Security - Others
- Identity
source:
kind: Community
author:
name: Vasileios Paschalidis
queryPeriod: 1h
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Account
fieldMappings:
- columnName: SubjectAccount
identifier: FullName
- columnName: SubjectUserName
identifier: Name
- columnName: SubjectDomainName
identifier: NTDomain
- entityType: Account
fieldMappings:
- columnName: SubjectUserSid
identifier: Sid
- entityType: Host
fieldMappings:
- columnName: Computer
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: NTDomain
queryFrequency: 1h
relevantTechniques:
- T1134
requiredDataConnectors:
- dataTypes:
- SecurityEvent
connectorId: SecurityEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
description: |
'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting.
This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName".
Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'
tactics:
- PrivilegeEscalation
query: |
SecurityEvent
| where EventID == 5136
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
id: 875d0eb1-883a-4191-bd0e-dbfdeb95a464
version: 1.0.4
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
"properties": {
"alertRuleTemplateName": "875d0eb1-883a-4191-bd0e-dbfdeb95a464",
"customDetails": null,
"description": "'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \nThis query checks for event id 5136, that the Object Class field is \"user\" and the LDAP Display Name is \"servicePrincipalName\".\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'\n",
"displayName": "Service Principal Name (SPN) Assigned to User Account",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectAccount",
"identifier": "FullName"
},
{
"columnName": "SubjectUserName",
"identifier": "Name"
},
{
"columnName": "SubjectDomainName",
"identifier": "NTDomain"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "SubjectUserSid",
"identifier": "Sid"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "Computer",
"identifier": "FullName"
},
{
"columnName": "HostName",
"identifier": "HostName"
},
{
"columnName": "HostNameDomain",
"identifier": "NTDomain"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml",
"query": "SecurityEvent\n| where EventID == 5136 \n| parse EventData with * 'AttributeLDAPDisplayName\">' AttributeLDAPDisplayName \"<\" *\n| parse EventData with * 'ObjectClass\">' ObjectClass \"<\" *\n| where AttributeLDAPDisplayName == \"servicePrincipalName\" and ObjectClass == \"user\"\n| parse EventData with * 'ObjectDN\">' ObjectDN \"<\" *\n| parse EventData with * 'AttributeValue\">' AttributeValue \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| project-away DomainIndex\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}