rules/windows/process_creation/proc_creation_win_spn_enum.yml

title: Possible SPN Enumeration
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
status: test
description: Detects Service Principal Name Enumeration used for Kerberoasting
author: Markus Neis, keepwatch
references:
  - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
date: 2018/11/14
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection_image:
    Image|endswith: '\setspn.exe'
  selection_desc:
    Description|contains|all:
      - 'Query or reset the computer'
      - 'SPN attribute'
  cmd:
    CommandLine|contains: '-q'
  condition: (selection_image or selection_desc) and cmd
falsepositives:
  - Administrator Activity
level: medium
tags:
  - attack.credential_access
  - attack.t1558.003
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`title: Possible SPN Enumeration`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`description: Detects Service Principal Name Enumeration used for Kerberoasting`
			`author: Markus Neis, keepwatch`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`references:`
			`- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`date: 2018/11/14`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`modified: 2021/11/27`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: process_creation`
			`product: windows`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection_image:`
			`Image\|endswith: '\setspn.exe'`
			`selection_desc:`
			`Description\|contains\|all:`
			`- 'Query or reset the computer'`
			`- 'SPN attribute'`
			`cmd:`
			`CommandLine\|contains: '-q'`
			`condition: (selection_image or selection_desc) and cmd`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Administrator Activity`
Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00			`level: medium`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`tags:`
			`- attack.credential_access`
			`- attack.t1558.003`