GenericWrite cleanup depends on which attribute was modified. Do not blindly clear attributes on real accounts. Capture the current value, compare it with known-good state, and remove only the malicious value.
Remove a fake SPN with the AD module:
Set-ADUser -Identity 'svc_web' -ServicePrincipalNames @{Remove='ootw/fake'}
If PowerView was used and the account originally had no SPNs:
Set-DomainObject -Identity 'svc_web' -Clear servicePrincipalName
Clear a malicious logon script:
Set-DomainObject -Identity 'svc_web' -Clear scriptPath
Clear Shadow Credentials with the same tooling used to add them:
certipy shadow clear -u ben.carter@ootw.local -p 'StudentPass2026!' -account svc_web -dc-ip 10.10.10.200
Clear RBCD from a computer object:
Set-DomainObject -Identity 'TARGETCOMPUTER$' -Clear 'msDS-AllowedToActOnBehalfOfOtherIdentity'
Review:
Get-ADUser svc_web -Properties servicePrincipalName,msDS-KeyCredentialLink,scriptPath
Get-ADComputer TARGETCOMPUTER -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
Events:
5136 - servicePrincipalName changed
5136 - msDS-KeyCredentialLink changed
5136 - msDS-AllowedToActOnBehalfOfOtherIdentity changed
4738 - User account changed
4742 - Computer account changed
4769 - Service ticket requested after fake SPN
4768 - PKINIT TGT after Shadow Credentials
High-fidelity indicators:
temporary SPN added then removed
SPN that does not match real service naming
msDS-KeyCredentialLink write on a user or computer
msDS-AllowedToActOnBehalfOfOtherIdentity write on a workstation or server
scriptPath set on an account that did not previously use logon scripts
Remediation:
- remove unnecessary GenericWrite rights
- alert on SPN changes
- alert on
msDS-KeyCredentialLinkchanges - alert on RBCD attribute changes
- use gMSA/MSA instead of weak human-managed service accounts
- review delegated write permissions regularly