valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7b3d67ae66
SigmaHQ/rules/windows/process_creation/win_spn_enum.yml
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00

25 lines
710 B
YAML
Raw Blame History

title: Possible SPN Enumeration
description: Detects Service Principal Name Enumeration used for Kerberoasting
status: experimental
references:
- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
author: Markus Neis, keepwatch
date: 2018/11/14
tags:
- attack.credential_access
- attack.t1208
logsource:
category: process_creation
product: windows
detection:
selection_image:
Image: '*\setspn.exe'
selection_desc:
Description: '*Query or reset the computer* SPN attribute*'
cmd:
CommandLine: '*-q*'
condition: (selection_image or selection_desc) and cmd
falsepositives:
- Administrator Activity
level: medium
Reference in New Issue View Git Blame Copy Permalink