Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ENUMERATION

SPNs

This note documents detection patterns related to SPN Enumeration within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security4662Directory object accessedHighLDAP queries retrieving servicePrincipalName attributes.
Security4624Successful logonMediumAuthentication used during enumeration.
Security4648Explicit credentials usedHighTools authenticating with alternate credentials.
Sysmon1Process creationHighExecution of enumeration tools such as PowerView.
Sysmon3Network connectionMediumLDAP queries to domain controllers.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
LDAP queries for SPN attributesQueries requesting servicePrincipalName fieldsCriticalTypical Kerberoasting reconnaissance.
Enumeration tools executionPowerView, setspn, or SharpHoundHighDirect discovery activity.
Large LDAP query volumeMultiple SPN queries within short time windowHighAutomated enumeration behavior.

Common Tools

ToolUsage
setspnNative tool to query SPNs.
PowerViewEnumerates service accounts with SPNs.
SharpHoundCollects SPN data for BloodHound.
GetUserSPNs.py (Impacket)Enumerates SPNs and prepares Kerberoasting.

Relevant Artifacts

  • Security logs (4662, 4624, 4648)
  • LDAP query telemetry
  • Sysmon process logs
  • EDR telemetry
  • Network logs to domain controllers

MITRE ATT&CK References

  • T1087 Account Discovery
  • T1558.003 Kerberoasting

Decision Tree

  1. Detect enumeration-related process execution.
  2. Identify querying host.
  3. Inspect LDAP query attributes.
  4. Determine authenticated account.
  5. Evaluate whether Kerberoasting follows.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4662
| where ObjectProperties contains "servicePrincipalName"

EQL

any where event.code == "4662"

Sigma

title: SPN Enumeration Activity
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4662
  condition: selection
level: medium

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
MonitoringAlert on SPN enumeration commandsMediumIdentifies reconnaissance.
Audit loggingEnable directory service auditingHighImproves detection visibility.
Service account securityUse strong passwords for SPN accountsHighReduces Kerberoasting risk.