Skip to content

Commit

Permalink
Merge PR #4501 from @EzLucky - Update Coverage For `Potential SPN Enu…
Browse files Browse the repository at this point in the history 
…meration Via Setspn.EXE`

update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding `/q` switch 

---------

Co-authored-by: Nasreddine Bencherchali <[email protected]>
  • Loading branch information
@EzLucky @nasbench
EzLucky and nasbench authored Oct 23, 2023
1 parent f928fcb commit 8dc32d6
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions rules/windows/process_creation/proc_creation_win_setspn_spn_enumeration.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ references:
- https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
author: Markus Neis, keepwatch
date: 2018/11/14
modified: 2023/02/13
modified: 2023/10/23
tags:
- attack.credential_access
- attack.t1558.003
Expand All @@ -22,7 +22,9 @@ detection:
- 'Query or reset the computer'
- 'SPN attribute'
selection_cli:
CommandLine|contains: '-q'
CommandLine|contains:
- ' -q '
- ' /q '
condition: all of selection_*
falsepositives:
- Administration activity
Expand Down

0 comments on commit 8dc32d6

Please sign in to comment.