Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals

Response

SPN response focuses on restoring ownership. When the wrong account owns an SPN, Kerberos tickets are encrypted with the wrong key. That can create outages, Kerberoast exposure, Silver Ticket opportunities, or delegation abuse.

Duplicate SPNs

setspn -X

Query suspicious SPNs

setspn -Q HTTP/*
setspn -Q MSSQLSvc/*
setspn -Q cifs/*
setspn -Q ldap/*

PowerShell review

Get-ADObject -LDAPFilter '(servicePrincipalName=*)' -Properties servicePrincipalName,whenChanged,sAMAccountName |
  Sort-Object whenChanged -Descending |
  Select-Object -First 50 Name,ObjectClass,sAMAccountName,whenChanged,ServicePrincipalName

Directory change events

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738} |
  Where-Object {$_.Message -match "Service Principal Name|servicePrincipalName"} |
  Select-Object -First 50 TimeCreated,Id,Message

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136} |
  Where-Object {$_.Message -match "servicePrincipalName"} |
  Select-Object -First 50 TimeCreated,Id,Message

Kerberoast indicators

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} |
  Where-Object {$_.Message -match "MSSQLSvc|HTTP|cifs|ldap"} |
  Select-Object -First 50 TimeCreated,Id,Message

Remove malicious SPN

setspn -D nonexistent/target OOTW\target.user
setspn -D HTTP/web01.ootw.local OOTW\attacker

Restore legitimate SPN

setspn -S HTTP/web01.ootw.local OOTW\svc_web
setspn -S MSSQLSvc/sql01.ootw.local:1433 OOTW\svc_sql

PowerShell cleanup

Set-ADUser -Identity target.user -ServicePrincipalNames @{Remove='nonexistent/target'}
Set-ADUser -Identity svc_web -ServicePrincipalNames @{Add='HTTP/web01.ootw.local'}

After Silver Ticket exposure

Rotate the service account password or gMSA key material.
Purge tickets on affected hosts where possible.
Review service access logs because Silver Ticket use may not create a normal KDC request.
Check whether the service account key was recovered through Kerberoasting, secrets dumping, backup exposure, or local compromise.

Hardening

  • Use gMSA for services where possible.
  • Avoid human-managed service accounts with weak passwords.
  • Limit who can write servicePrincipalName.
  • Monitor additions and removals of SPNs.
  • Run setspn -X regularly.
  • Use AES where possible and reduce RC4 exposure.
  • Keep service SPNs owned by the actual service account.