Suspicious SPN logon from workstation (DumpGuard)
Detect Suspicious Spn Logon From Workstation
Query
let spn_accounts = toscalar(
// Search for all SPNs we can find in historic logs
IdentityLogonEvents
| where TimeGenerated > ago(14d)
| where Application == "Active Directory"
| where isnotempty(AdditionalFields.Spns)
| extend Spns = split(AdditionalFields.Spns, ",")
| summarize make_set(Spns)
);
let workstation_subnets = toscalar(
DeviceNetworkInfo
| where TimeGenerated > ago(14d)
// Filter out empty device names
| where isnotempty(DeviceName)
// Expand IP Addresses
| mv-expand todynamic(IPAddresses)
// Focus on device name and IP Address info
| distinct DeviceName, tostring(IPAddresses)
// Filter out IPv6 addresses, /32 addresses, and APIPA addresses
| where todynamic(IPAddresses).IPAddress !contains ":"
| where todynamic(IPAddresses).SubnetPrefix != "32"
| where todynamic(IPAddresses).IPAddress !startswith "169.254"
// Find Device Type of the device
| join kind=inner (
DeviceInfo
| where TimeGenerated > ago(30d)
| distinct DeviceName, DeviceType
) on DeviceName
// Only focus on workstations
| where DeviceType == "Workstation"
// Create Network Address based on the host IP Address and create a distinct list
| extend NetworkAddress = format_ipv4_mask(tostring(todynamic(IPAddresses).IPAddress), tolong(todynamic(IPAddresses).SubnetPrefix))
| summarize make_set(NetworkAddress)
);
IdentityLogonEvents
| where TimeGenerated > ago(1h)
// Get AD TGT requests by looking for Kerberos requests to KRBTGT account
| where Application == "Active Directory"
| where Protocol == "Kerberos"
| where AdditionalFields.Spns contains "krbtgt"
// Check for requests to account names with SPNs
| where AccountName in (spn_accounts)
// Check if IP Address is from a client range
| where ipv4_is_in_any_range(IPAddress, workstation_subnets)
// Optional - Ignore failed logins
| where ActionType != "LogonFailed"About this query
Explanation
This query is designed to detect potentially suspicious activity related to credential dumping on devices with Credential Guard enabled, using the DumpGuard tool. Here's a simplified breakdown of what the query does:
-
Identify SPN Accounts:
- The query first searches through historical log data (from the past 14 days) to identify accounts associated with Service Principal Names (SPNs) in Active Directory logon events. These accounts are stored in a list for further analysis.
-
Identify Workstation Subnets:
- It then identifies network subnets associated with workstations by examining device network information from the past 14 days. It filters out irrelevant IP addresses (like IPv6, /32, and APIPA addresses) and focuses on devices classified as workstations. The resulting network addresses are stored in a list.
-
Detect Suspicious Logon Events:
- The query looks at logon events from the past hour to find Kerberos Ticket Granting Ticket (TGT) requests made to the KRBTGT account, which is a key part of the Kerberos authentication process.
- It checks if these requests are made by accounts identified as having SPNs.
- It further checks if the requests originate from IP addresses within the identified workstation subnets.
- Finally, it filters out any failed logon attempts to focus on successful ones.
The goal of this query is to detect potential misuse of SPN-enabled accounts from workstations, which could indicate an attempt to bypass Credential Guard protections using the DumpGuard tool. This is relevant for security monitoring and threat detection, particularly in environments using Credential Guard.
Details

Robbe Van den Daele
Released: October 24, 2025
Tables
IdentityLogonEventsDeviceNetworkInfoDeviceInfo
Keywords
Devices
Operators
lettoscalarIdentityLogonEventswhereTimeGeneratedagoApplicationisnotemptyextendsplitsummarizemake_setDeviceNetworkInfomv-expandtodynamicdistincttostringjoinkind=innerDeviceInfoonformat_ipv4_maskipv4_is_in_any_rangein