title: Possible SPN Enumeration
author: Markus Neis, keepwatch
date: 2018/11/14
description: Detects Service Principal Name Enumeration used for Kerberoasting
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\setspn.exe'
  SELECTION_3:
    Description: '*Query or reset the computer*'
  SELECTION_4:
    Description: '*SPN attribute*'
  SELECTION_5:
    CommandLine: '*-q*'
  condition: (SELECTION_1 and (SELECTION_2 or (SELECTION_3 and SELECTION_4)) and SELECTION_5)
falsepositives:
- Administrator Activity
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
status: experimental
tags:
- attack.credential_access
- attack.t1558.003
- attack.t1208
ruletype: SIGMA