RULE 22 AD Targeted Kerberoasting Write SPN
Query
// =========================================================
// RULE-22 | AD-Targeted-Kerberoasting-WriteSPN
// Description : Targeted Kerberoasting via WriteSPN —
// Event 5136 (DS Object Modified) setting the
// servicePrincipalName attribute on a USER
// account (not COMPUTER$), followed within
// 5 minutes by a 4769 (TGS-REP) for that
// newly set SPN.
// This is the targetedKerberoast.py pattern:
// set SPN → request TGS (offline crack) →
// remove SPN to avoid detection.
// Any user with WriteProperty on the
// servicePrincipalName attribute of another
// user can make that user kerberoastable.
// Severity : High (SPN+TGS sequence found)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1558.003 — Kerberoasting
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
let SequenceWindow = 5m;
// Step 1: New SPN set on a user account
let SPNWrites = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5136
| where AttributeLDAPDisplayName =~ "servicePrincipalName"
| where OperationType == "%%14674" // Value Added
// Only target USER objects, not computer accounts
| where not(ObjectDN has "CN=Computers")
| extend
WriterAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
TargetUser_DN = ObjectDN,
NewSPN = AttributeValue,
SPNWriteTime = TimeGenerated;
// Step 2: TGS request for the newly created SPN
let TGSRequests = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4 — crackable
| extend
Requester = TargetUserName,
RequestedSPN = ServiceName,
TGSTime = TimeGenerated;
// Correlate: SPN write → TGS within sequence window
SPNWrites
| join kind=inner (TGSRequests) on $left.NewSPN == $right.RequestedSPN
| where TGSTime between (SPNWriteTime .. SPNWriteTime + SequenceWindow)
| extend
SequenceDuration_sec = datetime_diff("second", TGSTime, SPNWriteTime),
Severity = "High",
WhySuspicious = strcat(
"Targeted_Kerberoast_WriteSPN_Then_TGS; ",
"SPN_Set: ", NewSPN, "; ",
"TGS_Requester: ", Requester, "; ",
"Target_User: ", TargetUser_DN, "; ",
"Time_Between_sec: ", tostring(SequenceDuration_sec)
)
| project
TimeGenerated = SPNWriteTime,
Severity,
WhySuspicious,
WriterAccount,
TargetUser_DN,
NewSPN,
Requester,
TGSTime,
SequenceDuration_sec,
Computer
| order by TimeGenerated descExplanation
This query is designed to detect a specific type of attack known as "Kerberoasting," which targets user accounts in an Active Directory environment. Here's a simplified explanation of what the query does:
-
Purpose: The query aims to identify suspicious activity where a service principal name (SPN) is set on a user account and then quickly followed by a request for a Kerberos ticket-granting service (TGS) ticket for that SPN. This pattern is indicative of a targeted Kerberoasting attack.
-
Steps:
- Step 1: The query looks for events where an SPN is added to a user account (not a computer account). This is detected by looking for Event ID 5136, which indicates a directory service object modification, specifically when the
servicePrincipalNameattribute is set. - Step 2: It then searches for a TGS request (Event ID 4769) for the newly set SPN. The TGS request uses RC4 encryption, which is known to be vulnerable to offline cracking.
- Step 1: The query looks for events where an SPN is added to a user account (not a computer account). This is detected by looking for Event ID 5136, which indicates a directory service object modification, specifically when the
-
Correlation: The query correlates these two events by checking if the TGS request occurs within 5 minutes of the SPN being set. This quick sequence suggests the SPN was set with the intent of performing a Kerberoasting attack.
-
Output: If such a sequence is detected, the query outputs details about the event, including the time it occurred, the accounts involved, and why it is considered suspicious. The severity is marked as "High" due to the potential security risk.
-
Frequency: The query runs every 15 minutes, analyzing the last 15 minutes of data to ensure timely detection of such activities.
Overall, this query helps security teams identify and respond to potential Kerberoasting attacks by flagging suspicious sequences of SPN setting and TGS requests.
