Windows AD Short Lived Domain Account ServicePrincipalName

name: Windows AD Short Lived Domain Account ServicePrincipalName
id: b681977c-d90c-4efc-81a5-c58f945fb541
version: 10
date: '2026-03-10'
author: Mauricio Velazco, Splunk
type: TTP
status: production
data_source:
    - Windows Event Log Security 5136
description: The following analytic identifies the addition and quick deletion of a Service Principal Name (SPN) to a domain account within 5 minutes. This detection leverages EventCode 5136 from the Windows Security Event Log, focusing on changes to the servicePrincipalName attribute. This activity is significant as it may indicate an attempt to perform Kerberoasting, a technique used to crack the cleartext password of a domain account offline. If confirmed malicious, this could allow an attacker to gain unauthorized access to sensitive information or escalate privileges within the domain environment.
search: |-
    `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName
      | transaction ObjectDN AttributeValue startswith=(EventCode=5136 OperationType="%%14674") endswith=(EventCode=5136 OperationType="%%14675")
      | eval short_lived=case((duration<300),"TRUE")
      | search short_lived = TRUE
      | rename ObjectDN as user
      | rename Computer as dest
      | `windows_ad_short_lived_domain_account_serviceprincipalname_filter`
how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created for AD objects in order to ingest attribute modifications.
known_false_positives: A Service Principal Name should only be added to an account when an application requires it. Adding an SPN and quickly deleting it is less common but may be part of legitimate action. Filter as needed.
references:
    - https://adsecurity.org/?p=3466
    - https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A Servince Principal Name for $user$ was set and shortly deleted
    risk_objects:
        - field: user
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Sneaky Active Directory Persistence Tricks
        - Interlock Ransomware
    asset_type: Endpoint
    mitre_attack_id:
        - T1098
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/short_lived_service_principal_name/windows-security.log
          source: XmlWinEventLog:Security
          sourcetype: XmlWinEventLog