Detection: ServicePrincipalNames Discovery with PowerShell

Description

The following analytic identifies PowerShell usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principal Names (SPNs). This is typically a precursor activity related to kerberoasting or silver ticket attacks. What is a ServicePrincipalName? A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. The analytic identifies the use of KerberosRequestorSecurityToken class within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken class in PowerShell is equivalent to using setspn.exe. This version reduces false positives by requiring both KerberosRequestorSecurityToken usage AND SPN-like patterns, while excluding common monitoring/hook function patterns. During triage, review parallel processes for further suspicious activity.

Annotations

No annotations available.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.

Known False Positives

Security monitoring tools that implement PowerShell hooks, administrative scripts that legitimately reference Kerberos token classes, PowerShell modules or functions that contain the class name for educational purposes, and development environments where kerberoasting techniques are being researched.

Associated Analytic Story

• Active Directory Discovery

• Active Directory Kerberos Attacks

• Malicious PowerShell

• Active Directory Privilege Escalation

Risk Based Analytics (RBA)

References

• https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names

• https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8

• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting

• https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html

• https://attack.mitre.org/techniques/T1558/003/

• https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx

• https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

• https://blog.zsec.uk/paving-2-da-wholeset/

• https://msitpros.com/?p=3113

• https://adsecurity.org/?p=3466

• https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.

• https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

• https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf

• https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/

Version: 4