Name:Windows PowerView SPN Discovery id:a7093c28-796c-4ebb-9997-e2c18b870837 version:3 date:2024-09-30 author:Gowthamaraj Rajendran, Splunk status:production type:TTP Description:The following analytic detects the execution of the `Get-DomainUser` or `Get-NetUser` PowerShell cmdlets with the `-SPN` parameter, indicating the use of PowerView for SPN discovery. It leverages PowerShell Script Block Logging (EventCode=4104) to identify these specific commands. This activity is significant as it suggests an attempt to enumerate domain accounts associated with Service Principal Names (SPNs), a common precursor to Kerberoasting attacks. If confirmed malicious, this could allow an attacker to identify and target accounts for credential theft, potentially leading to unauthorized access and privilege escalation within the network. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText =*Get-NetUser* OR ScriptBlockText=*Get-DomainUser*) ScriptBlockText= *-SPN* | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest | rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_powerview_spn_discovery_filter`
how_to_implement:The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. known_false_positives:False positive may include Administrators using PowerView for troubleshooting and management. References: -https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast -https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 -https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting -https://attack.mitre.org/techniques/T1558/003 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CISA AA23-347A' - 'Rhysida Ransomware' - 'Active Directory Kerberos Attacks' asset_type:Endpoint confidence:90 impact:30 message:PowerView commandlets used for SPN discovery executed on $dest$ mitre_attack_id: - 'T1558' - 'T1558.003' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'Computer' - 'ScriptBlockText' risk_score:27 security_domain:endpoint
