SigmaHQ/rules/windows/process_creation/win_spn_enum.yml

title: Possible SPN Enumeration
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
description: Detects Service Principal Name Enumeration used for Kerberoasting
status: experimental
references:
    - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
author: Markus Neis, keepwatch
date: 2018/11/14
tags:
    - attack.credential_access
    - attack.t1208
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        Image: '*\setspn.exe'
    selection_desc:
        Description: '*Query or reset the computer* SPN attribute*'
    cmd:
        CommandLine: '*-q*'
    condition: (selection_image or selection_desc) and cmd
falsepositives:
    - Administrator Activity
level: medium
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`title: Possible SPN Enumeration`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`description: Detects Service Principal Name Enumeration used for Kerberoasting`
			`status: experimental`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`author: Markus Neis, keepwatch`
			`date: 2018/11/14`
			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.credential_access`
			`- attack.t1208`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection_image:`
			`Image: '*\setspn.exe'`
			`selection_desc:`
			`Description: 'Query or reset the computer SPN attribute*'`
			`cmd:`
			`CommandLine: '-q'`
			`condition: (selection_image or selection_desc) and cmd`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Administrator Activity`
Merge branch 'master' into project-1 2019-02-25 23:24:46 +00:00			`level: medium`