Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Service Principal Name SPN Assigned to User Account

Back
Id875d0eb1-883a-4191-bd0e-dbfdeb95a464
RulenameService Principal Name (SPN) Assigned to User Account
DescriptionThis query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting.

This query checks for event id 5136, that the Object Class field is “user” and the LDAP Display Name is “servicePrincipalName”.

Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
Required data connectorsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
Version1.0.4
Arm template875d0eb1-883a-4191-bd0e-dbfdeb95a464.json
Deploy To Azure
SecurityEvent
| where EventID == 5136 
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex
requiredDataConnectors:
- dataTypes:
  - SecurityEvent
  connectorId: SecurityEvents
name: Service Principal Name (SPN) Assigned to User Account
queryFrequency: 1h
tactics:
- PrivilegeEscalation
metadata:
  author:
    name: Vasileios Paschalidis
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
relevantTechniques:
- T1134
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml
id: 875d0eb1-883a-4191-bd0e-dbfdeb95a464
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: SubjectAccount
  - identifier: Name
    columnName: SubjectUserName
  - identifier: NTDomain
    columnName: SubjectDomainName
  entityType: Account
- fieldMappings:
  - identifier: Sid
    columnName: SubjectUserSid
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
  entityType: Host
kind: Scheduled
query: |
  SecurityEvent
  | where EventID == 5136 
  | parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
  | parse EventData with * 'ObjectClass">' ObjectClass "<" *
  | where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
  | parse EventData with * 'ObjectDN">' ObjectDN "<" *
  | parse EventData with * 'AttributeValue">' AttributeValue "<" *
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
triggerOperator: gt
severity: Medium
description: |
  'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. 
  This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName".
  Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'  
triggerThreshold: 0
version: 1.0.4
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/875d0eb1-883a-4191-bd0e-dbfdeb95a464')]",
      "properties": {
        "alertRuleTemplateName": "875d0eb1-883a-4191-bd0e-dbfdeb95a464",
        "customDetails": null,
        "description": "'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. \nThis query checks for event id 5136, that the Object Class field is \"user\" and the LDAP Display Name is \"servicePrincipalName\".\nRef: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'\n",
        "displayName": "Service Principal Name (SPN) Assigned to User Account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "SubjectUserName",
                "identifier": "Name"
              },
              {
                "columnName": "SubjectDomainName",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectUserSid",
                "identifier": "Sid"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserPrincipalNameAssignedToUserAccount.yaml",
        "query": "SecurityEvent\n| where EventID == 5136 \n| parse EventData with * 'AttributeLDAPDisplayName\">' AttributeLDAPDisplayName \"<\" *\n| parse EventData with * 'ObjectClass\">' ObjectClass \"<\" *\n| where AttributeLDAPDisplayName == \"servicePrincipalName\" and  ObjectClass == \"user\"\n| parse EventData with * 'ObjectDN\">' ObjectDN \"<\" *\n| parse EventData with * 'AttributeValue\">' AttributeValue \"<\" *\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| project-away DomainIndex\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}