User Account ServicePrincipalName Attribute Modified

This detection rule identifies modifications to the servicePrincipalName (SPN) attribute of user accounts within Active Directory. Attackers can exploit write privileges over a user account to configure SPNs, enabling them to perform Kerberoasting attacks. While administrators may configure SPNs legitimately, this exposes the account to potential abuse. The risk arises because user-defined passwords are often less complex than machine account passwords, making them vulnerable to cracking. The rule focuses on identifying when a user account is at increased risk due to SPN modifications, indicating potential Kerberoasting vulnerabilities. The original Elastic rule was published on 2022-02-22 and last updated on 2026-05-04.

Attack Chain

1. An attacker gains initial access to a system with a user account that possesses write privileges to other user accounts within Active Directory.
2. The attacker identifies a target user account for which they want to perform Kerberoasting.
3. The attacker modifies the servicePrincipalName attribute of the target user account using tools like SetSPN.exe or PowerShell.
4. A Kerberos client requests a ticket-granting service (TGS) ticket for the modified SPN.
5. The domain controller encrypts the TGS ticket with the secret key (NTLM hash) of the target user account.
6. The attacker extracts the encrypted TGS ticket from network traffic or the Kerberos client cache.
7. The attacker performs offline password cracking on the extracted TGS ticket to recover the plaintext password of the target user account using tools like Hashcat or John the Ripper.
8. The attacker uses the compromised credentials to gain unauthorized access to resources or perform lateral movement within the network.

Impact

Successful Kerberoasting attacks can compromise user account credentials, potentially leading to unauthorized access to sensitive resources and lateral movement within the network. If privileged accounts are compromised, attackers can gain control over critical systems and data, leading to data breaches, system disruptions, and financial losses. The number of victims depends on the permissions of the compromised account and the scope of the attacker’s access.

Recommendation

• Enable and monitor “Audit Directory Service Changes” in Windows Security Event Logs to generate the events required for the detection rule (reference: https://ela.st/audit-directory-service-changes).
• Deploy the “User account exposed to Kerberoasting” Sigma rule to your SIEM and tune it based on your environment.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the SPN modification and whether the modification was legitimate (reference: Sigma rule).
• Implement Group Managed Service Accounts (gMSA) for services running under user accounts to ensure strong and automatically rotated passwords (reference: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).