heroui logo

Windows PowerView SPN Discovery

Splunk Security Content

View Source
Summary
This analytic rule detects the execution of PowerShell cmdlets `Get-DomainUser` or `Get-NetUser` with the `-SPN` parameter, often indicative of an attacker attempting to enumerate domain accounts linked to Service Principal Names (SPNs), which is a common precursor to Kerberoasting attacks. It utilizes PowerShell Script Block Logging (EventCode=4104) to surface specific patterns indicating this behavior. Upon detection, it may suggest potential credential theft or unauthorized privilege escalation within the network. The search query triggers alerts by looking for specific code executed in PowerShell, enabling security teams to investigate further and respond to potential threats promptly.
Categories
  • Windows
  • Endpoint
  • Network
Data Sources
  • Pod
  • Process
ATT&CK Techniques
  • T1558
  • T1558.003
Created: 2024-11-13