Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A Service Principal Name (SPN) is a unique identifier for a service, mapped to a specific account. Setspn.exe can be used to retrieve SPN information, which may indicate an attacker's attempt to "Kerberoast".
Attacker's Goals
Retrieving SPN information to perform related attacks like 'Kerberoast'.
Investigative actions
- Investigate the user who executed setspn.exe and find out if the act was malicious.