Service Principal Name (SPN) Assigned to User Account

Hunt Hypothesis

Adversaries may assign a service principal name to a user account as part of preparing for Kerberoasting attacks to extract credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential Kerberoasting attempts early and mitigate credential compromise risks.

KQL Query

SecurityEvent
| where EventID == 5136 
| parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
| parse EventData with * 'ObjectClass">' ObjectClass "<" *
| where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
| parse EventData with * 'ObjectDN">' ObjectDN "<" *
| parse EventData with * 'AttributeValue">' AttributeValue "<" *
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex

Analytic Rule Definition

id: 875d0eb1-883a-4191-bd0e-dbfdeb95a464
name: Service Principal Name (SPN) Assigned to User Account
description: |
  'This query identifies whether an Active Directory user object was assigned a service principal name which could indicate that an adversary is preparing for performing Kerberoasting. 
  This query checks for event id 5136, that the Object Class field is "user" and the LDAP Display Name is "servicePrincipalName".
  Ref: https://thevivi.net/assets/docs/2019/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
relevantTechniques:
  - T1134
query: |
    SecurityEvent
    | where EventID == 5136 
    | parse EventData with * 'AttributeLDAPDisplayName">' AttributeLDAPDisplayName "<" *
    | parse EventData with * 'ObjectClass">' ObjectClass "<" *
    | where AttributeLDAPDisplayName == "servicePrincipalName" and  ObjectClass == "user"
    | parse EventData with * 'ObjectDN">' ObjectDN "<" *
    | parse EventData with * 'AttributeValue">' AttributeValue "<" *
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, SubjectAccount, ObjectDN, AttributeValue, SubjectUserName, SubjectDomainName, SubjectUserSid
    | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
    | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
    | project-away DomainIndex
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SubjectAccount
      - identifier: Name
        columnName: SubjectUserName
      - identifier: NTDomain
        columnName: SubjectDomainName
  - entityType: Account
    fieldMappings:
      - identifier: Sid
        columnName: SubjectUserSid
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
        columnName: HostNameDomain
version: 1.0.4
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Vasileios Paschalidis
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Required Data Sources

Sentinel Table	Notes
`SecurityEvent`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: PrivilegeEscalation
Technique: T1134 — T1134

References

Source Query

False Positive Guidance

Scenario: Scheduled Job Using SPN for Service Communication
Description: A legitimate scheduled job (e.g., SQL Server Agent Job, Windows Task Scheduler task) is configured to use a service principal name (SPN) for communication with a database or service.
Filter/Exclusion: where AccountType = 'ServiceAccount' or JobName contains 'SQL' or JobName contains 'TaskScheduler'
Scenario: Admin Task Using SPN for Authentication
Description: An administrator is performing a maintenance task that requires using an SPN for authentication (e.g., Azure AD Connect, Kerberos authentication for LDAP), which is a normal part of directory synchronization or identity management.
Filter/Exclusion: where AccountType = 'Administrator' or ServiceName contains 'AzureADConnect' or ServiceName contains 'Kerberos'
Scenario: Legacy Application Using SPN for Legacy Authentication
Description: A legacy application (e.g., Microsoft Exchange, Legacy Active Directory Application using SPN for Kerberos authentication) is still in use and requires SPN assignment for proper functionality.
Filter/Exclusion: where ServiceName contains 'Exchange' or ServiceName contains 'LegacyApp' or ServiceName contains 'ADApplication'
Scenario: User Account Assigned SPN for Personal Use
Description: A user account is assigned an SPN for personal use (e.g., PowerShell remoting, RDP with SPN, or custom script automation) that is not related to Kerberoasting.
Filter/Exclusion: where UserAccount is not null or UserPrincipalName contains 'user' or ServiceName contains 'PowerShell'
Scenario: Service Principal Created for Automation Tool
Description: A service principal (e.g., Azure DevOps, `