/
serviceprincipalnames_discovery_with_powershell.yml
90 lines (86 loc) · 4.14 KB
/
serviceprincipalnames_discovery_with_powershell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: ServicePrincipalNames Discovery with PowerShell
id: 13243068-2d38-11ec-8908-acde48001122
version: 2
date: '2022-02-26'
author: Michael Haag, Splunk
status: production
type: TTP
description: 'The following analytic identifies `powershell.exe` usage, using Script
Block Logging EventCode 4104, related to querying the domain for Service Principle
Names. typically, this is a precursor activity related to kerberoasting or the silver
ticket attack.
What is a ServicePrincipleName?
A service principal name (SPN) is a unique identifier of a service instance. SPNs
are used by Kerberos authentication to associate a service instance with a service
logon account. This allows a client application to request that the service authenticate
an account even if the client does not have the account name.
The following analytic identifies the use of KerberosRequestorSecurityToken class
within the script block. Using .NET System.IdentityModel.Tokens.KerberosRequestorSecurityToken
class in PowerShell is the equivelant of using setspn.exe.
During triage, review parallel processes for further suspicious activity.'
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText="*KerberosRequestorSecurityToken*"
| stats count min(_time) as firstTime max(_time) as lastTime by ScriptBlockText
Opcode Computer UserID EventCode | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `serviceprincipalnames_discovery_with_powershell_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: False positives should be limited, however filter as needed.
references:
- https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names
- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
- https://strontic.github.io/xcyclopedia/library/setspn.exe-5C184D581524245DAD7A0A02B51FD2C2.html
- https://attack.mitre.org/techniques/T1558/003/
- https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx
- https://web.archive.org/web/20220212163642/https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
- https://blog.zsec.uk/paving-2-da-wholeset/
- https://msitpros.com/?p=3113
- https://adsecurity.org/?p=3466
- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
tags:
analytic_story:
- Active Directory Discovery
- Active Directory Kerberos Attacks
- Malicious PowerShell
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 100
impact: 80
message: An instance of attempting to identify service principle detected on $dest$
names.
mitre_attack_id:
- T1558.003
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
risk_score: 80
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog