KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 22 AD Targeted Kerberoasting Write SPN

Query

// =========================================================
// RULE-22 | AD-Targeted-Kerberoasting-WriteSPN
// Description : Targeted Kerberoasting via WriteSPN —
//               Event 5136 (DS Object Modified) setting the
//               servicePrincipalName attribute on a USER
//               account (not COMPUTER$), followed within
//               5 minutes by a 4769 (TGS-REP) for that
//               newly set SPN.
//               This is the targetedKerberoast.py pattern:
//               set SPN → request TGS (offline crack) →
//               remove SPN to avoid detection.
//               Any user with WriteProperty on the
//               servicePrincipalName attribute of another
//               user can make that user kerberoastable.
// Severity    : High (SPN+TGS sequence found)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1558.003 — Kerberoasting
// Tables      : SecurityEvent
// =========================================================

let LookBack       = 15m;
let SequenceWindow = 5m;

// Step 1: New SPN set on a user account
let SPNWrites = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 5136
    | where AttributeLDAPDisplayName =~ "servicePrincipalName"
    | where OperationType == "%%14674"                 // Value Added
    // Only target USER objects, not computer accounts
    | where not(ObjectDN has "CN=Computers")
    | extend
        WriterAccount   = strcat(SubjectDomainName, "\\", SubjectUserName),
        TargetUser_DN   = ObjectDN,
        NewSPN          = AttributeValue,
        SPNWriteTime    = TimeGenerated;

// Step 2: TGS request for the newly created SPN
let TGSRequests = SecurityEvent
    | where TimeGenerated > ago(LookBack)
    | where EventID == 4769
    | where TicketEncryptionType == "0x17"             // RC4 — crackable
    | extend
        Requester    = TargetUserName,
        RequestedSPN = ServiceName,
        TGSTime      = TimeGenerated;

// Correlate: SPN write → TGS within sequence window
SPNWrites
| join kind=inner (TGSRequests) on $left.NewSPN == $right.RequestedSPN
| where TGSTime between (SPNWriteTime .. SPNWriteTime + SequenceWindow)
| extend
    SequenceDuration_sec = datetime_diff("second", TGSTime, SPNWriteTime),
    Severity = "High",
    WhySuspicious = strcat(
        "Targeted_Kerberoast_WriteSPN_Then_TGS; ",
        "SPN_Set: ", NewSPN, "; ",
        "TGS_Requester: ", Requester, "; ",
        "Target_User: ", TargetUser_DN, "; ",
        "Time_Between_sec: ", tostring(SequenceDuration_sec)
    )
| project
    TimeGenerated     = SPNWriteTime,
    Severity,
    WhySuspicious,
    WriterAccount,
    TargetUser_DN,
    NewSPN,
    Requester,
    TGSTime,
    SequenceDuration_sec,
    Computer
| order by TimeGenerated desc

Explanation

This query is designed to detect a specific type of attack known as "Kerberoasting," which targets user accounts in an Active Directory environment. Here's a simplified explanation of what the query does:

  1. Purpose: The query aims to identify suspicious activity where a service principal name (SPN) is set on a user account and then quickly followed by a request for a Kerberos ticket-granting service (TGS) ticket for that SPN. This pattern is indicative of a targeted Kerberoasting attack.

  2. Steps:

    • Step 1: The query looks for events where an SPN is added to a user account (not a computer account). This is detected by looking for Event ID 5136, which indicates a directory service object modification, specifically when the servicePrincipalName attribute is set.
    • Step 2: It then searches for a TGS request (Event ID 4769) for the newly set SPN. The TGS request uses RC4 encryption, which is known to be vulnerable to offline cracking.

  3. Correlation: The query correlates these two events by checking if the TGS request occurs within 5 minutes of the SPN being set. This quick sequence suggests the SPN was set with the intent of performing a Kerberoasting attack.

  4. Output: If such a sequence is detected, the query outputs details about the event, including the time it occurred, the accounts involved, and why it is considered suspicious. The severity is marked as "High" due to the potential security risk.

  5. Frequency: The query runs every 15 minutes, analyzing the last 15 minutes of data to ensure timely detection of such activities.

Overall, this query helps security teams identify and respond to potential Kerberoasting attacks by flagging suspicious sequences of SPN setting and TGS requests.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventUserComputer

Operators

letagowhere=~nothasextendstrcatjoinkindonbetweendatetime_diffprojecttostringorder bydesc

Actions