Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Credential Access

Kerberoasting: SPN Sweep

Kerberoasting: SPN Sweep
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Kerberoasting: SPN Sweep is a detection focused on identifying attempts to enumerate Service Principal Names (SPNs) within an Active Directory environment. Attackers use SPN sweeps to gather information about service accounts that can be targeted for Kerberoasting attacks. By requesting SPNs, attackers can obtain service account ticket-granting service (TGS) tickets, which can be brute-forced offline to reveal plaintext passwords.

Triggers

  • A host is observed requesting service tickets for a high volume of SPNs.

Possible Root Causes

  • Malicious Detection: An attacker is performing recon in a domain to find favorable targets for offline password cracking.
  • Benign Detection: Enterprise vulnerability scanners may also submit requests for a large volume of SPNs.

Business Impact

  • Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
  • Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

  • Investigate the host making requests for high volume of SPNs, this behavior is not typical for general users and should only be conducted by authorized hosts.
Kerberoasting: SPN Sweep

Possible root causes

Malicious Detection

  • An attacker is performing reconnaissance to identify service accounts for Kerberoasting attacks.
  • Use of automated tools or scripts to enumerate SPNs.

Benign Detection

  • Legitimate security assessments or penetration tests.
  • Administrative tasks involving bulk service account management.
Kerberoasting: SPN Sweep

Example scenarios

Scenario 1

An attacker uses a compromised user account to perform an SPN sweep. The attacker retrieves a list of service accounts and their associated SPNs. Using a tool like Rubeus, the attacker requests TGS tickets for these accounts and then proceeds to brute-force the tickets offline to obtain the plaintext passwords.

Scenario 2

During a penetration test, the security team runs a script to enumerate SPNs to identify potential targets for Kerberoasting. The detection is triggered, and the security team verifies the activity as part of the assessment.

Kerberoasting: SPN Sweep

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Credential Compromise

Attackers can obtain plaintext passwords of service accounts, which may have elevated privileges.

Lateral Movement

Compromised credentials can be used to move laterally within the network, escalating privileges.

Data Breach

Access to sensitive data and resources, leading to potential data exfiltration.

Kerberoasting: SPN Sweep

Steps to investigate

Review SPN Request Patterns

  • Check the volume and frequency of SPN requests.
  • Identify the source IP address and user account making the requests.

Correlate with User Activity

  • Verify if the user account is associated with legitimate administrative tasks.
  • Look for any recent changes in user privileges or account behavior.

Examine Logs and Tools

  • Review Kerberos authentication logs.
  • Check for the presence of known tools used for Kerberoasting (e.g., Rubeus, PowerView).

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity originating from the same host or user account.
Kerberoasting: SPN Sweep

MITRE ATT&CK techniques covered

Steal or Forge Kerberos Tickets

T1558

Account Discovery

T1087

Network Sniffing

T1040
Kerberoasting: SPN Sweep

Related detections

Kerberoasting: Cipher Downgrade

Kerberos Brute-Sweep

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is Kerberoasting?

Kerberoasting is an attack technique where attackers extract service account tickets (TGS tickets) from Active Directory, which are then brute-forced offline to obtain plaintext passwords.

What are the common signs of an SPN sweep?

High frequency of SPN requests from a single host or user account, especially if directed towards multiple services, can indicate an SPN sweep.

Can legitimate activities trigger an SPN sweep detection?

Yes, legitimate administrative tasks or security assessments can trigger this detection. It’s essential to verify the context of the activity.

How does Vectra AI detect SPN sweeps?

Vectra AI uses advanced AI algorithms to analyze network traffic and identify patterns indicative of SPN sweeps, correlating these with other suspicious behaviors.

What is the business impact of an SPN sweep?

The primary risk is credential compromise, which can lead to unauthorized access, data breaches, and significant damage to the organization.

How can I detect an SPN sweep in my environment?

Look for unusual patterns and high volumes of SPN requests within a short period. Monitoring tools and detection systems can help identify these anomalies.

Why is an SPN sweep a significant threat?

It is often a precursor to Kerberoasting, which can lead to the compromise of service account credentials, providing attackers with privileged access.

What steps should I take if I detect an SPN sweep?

Investigate the source of the requests, verify if they are legitimate, and check for other signs of malicious activity. If necessary, take steps to secure compromised accounts.

What tools can help verify the presence of Kerberoasting attempts?

Tools like Kerberos authentication logs, network sniffers, and specialized Kerberos monitoring tools can help identify Kerberoasting attempts.

How can I prevent SPN sweeps?

Implement strict access controls, monitor Kerberos traffic, use strong passwords for service accounts, and regularly audit user activity and permissions.