5168 SPN check for SMB/SMB2 failed
Written when the SPN check for SMB/SMB2 fails. It indicates a mismatch in SMB signing or SPN verification and can be a sign of an NTLM relay attack.
Overview
The subcategory is Audit File Share. It is generated when the SPN (Service Principal Name) check during an SMB/SMB2 connection fails. The cause is SMB signing or a mismatch with the expected SPN.
How it is triggered
- When, in an SMB connection, the presented SPN does not match or signature verification fails.
- Besides configuration inconsistency, it can occur in attacks involving relaying.
Security review points
- An SPN check failure can be a sign of an
NTLM relay attack(relaying authentication to another server to access by impersonation). SMB signing is a cornerstone of relay defense, and if its verification failures concentrate on a specific source or server, investigate. - Correlate with network logon 4624 (Type 3, NTLM) and NTLM validation 4776 to track authentication flows suspected of relaying.
Notes for log review
- It also occurs from configuration inconsistency (SPN registration mistakes, etc.). Separate attack from configuration-induced by source, target server, and frequency.
- Note bursts of SPN check failures against a specific server.
Key fields
| Field | Meaning |
|---|---|
Source Address | The connection source |
| Expected/presented SPN | The mismatch content |
Glossary
- NTLM relay attack — an attack that forwards stolen/relayed authentication to another server to access by impersonating the victim. Mitigated by SMB signing.