Tag
high
advisory
Windows AD ServicePrincipalName Added To Domain Account
2 rules 1 TTPThis Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.
Splunk Enterprise +2
kerberoasting
active_directory
spn
persistence
2r
1t
high
advisory
Potential Kerberos Coercion via DNS-Based SPN Spoofing
2 rules 1 TTPAdversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.
Active Directory
kerberos
coercion
dns
spn
spoofing
credential-access
2r
1t
medium
advisory
User Account ServicePrincipalName Attribute Modified
2 rules 2 TTPsDetection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.
Active Directory
kerberoasting
credential-access
windows
spn
2r
2t