{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/spn/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["kerberos","coercion","dns","spn","spoofing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to a system with privileges to modify DNS records in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new MicrosoftDNS record or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the DNS record, specifically in the \u003ccode\u003eAdditionalInfo\u003c/code\u003e or \u003ccode\u003eObjectDN\u003c/code\u003e attributes, the attacker inserts a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record\u0026rsquo;s name and associated IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the Kerberos authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; and \u0026ldquo;Audit Directory Service Changes\u0026rdquo; Windows audit policies to ensure relevant events are logged (Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).\u003c/li\u003e\n\u003cli\u003eRestrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-kerberos-coercion-dns/","summary":"Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.","title":"Potential Kerberos Coercion via DNS-Based SPN Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","windows","spn"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003eservicePrincipalName\u003c/code\u003e (SPN) attribute of user accounts within Active Directory. Attackers can exploit write privileges over a user account to configure SPNs, enabling them to perform Kerberoasting attacks. While administrators may configure SPNs legitimately, this exposes the account to potential abuse. The risk arises because user-defined passwords are often less complex than machine account passwords, making them vulnerable to cracking. The rule focuses on identifying when a user account is at increased risk due to SPN modifications, indicating potential Kerberoasting vulnerabilities. The original Elastic rule was published on 2022-02-22 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with a user account that possesses write privileges to other user accounts within Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account for which they want to perform Kerberoasting.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eservicePrincipalName\u003c/code\u003e attribute of the target user account using tools like \u003ccode\u003eSetSPN.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eA Kerberos client requests a ticket-granting service (TGS) ticket for the modified SPN.\u003c/li\u003e\n\u003cli\u003eThe domain controller encrypts the TGS ticket with the secret key (NTLM hash) of the target user account.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the encrypted TGS ticket from network traffic or the Kerberos client cache.\u003c/li\u003e\n\u003cli\u003eThe attacker performs offline password cracking on the extracted TGS ticket to recover the plaintext password of the target user account using tools like Hashcat or John the Ripper.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to resources or perform lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberoasting attacks can compromise user account credentials, potentially leading to unauthorized access to sensitive resources and lateral movement within the network. If privileged accounts are compromised, attackers can gain control over critical systems and data, leading to data breaches, system disruptions, and financial losses. The number of victims depends on the permissions of the compromised account and the scope of the attacker\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor \u0026ldquo;Audit Directory Service Changes\u0026rdquo; in Windows Security Event Logs to generate the events required for the detection rule (reference: \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003ehttps://ela.st/audit-directory-service-changes\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User account exposed to Kerberoasting\u0026rdquo; Sigma rule to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the SPN modification and whether the modification was legitimate (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement Group Managed Service Accounts (gMSA) for services running under user accounts to ensure strong and automatically rotated passwords (reference: \u003ca href=\"https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview\"\u003ehttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kerberoasting-spn-modified/","summary":"Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.","title":"User Account ServicePrincipalName Attribute Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberoasting-spn-modified/"}],"language":"en","title":"CraftedSignal Threat Feed — Spn","version":"https://jsonfeed.org/version/1.1"}