SPN response focuses on restoring ownership. When the wrong account owns an SPN, Kerberos tickets are encrypted with the wrong key. That can create outages, Kerberoast exposure, Silver Ticket opportunities, or delegation abuse.
Duplicate SPNs
setspn -X
Query suspicious SPNs
setspn -Q HTTP/*
setspn -Q MSSQLSvc/*
setspn -Q cifs/*
setspn -Q ldap/*
PowerShell review
Get-ADObject -LDAPFilter '(servicePrincipalName=*)' -Properties servicePrincipalName,whenChanged,sAMAccountName |
Sort-Object whenChanged -Descending |
Select-Object -First 50 Name,ObjectClass,sAMAccountName,whenChanged,ServicePrincipalName
Directory change events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4738} |
Where-Object {$_.Message -match "Service Principal Name|servicePrincipalName"} |
Select-Object -First 50 TimeCreated,Id,Message
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5136} |
Where-Object {$_.Message -match "servicePrincipalName"} |
Select-Object -First 50 TimeCreated,Id,Message
Kerberoast indicators
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} |
Where-Object {$_.Message -match "MSSQLSvc|HTTP|cifs|ldap"} |
Select-Object -First 50 TimeCreated,Id,Message
Remove malicious SPN
setspn -D nonexistent/target OOTW\target.user
setspn -D HTTP/web01.ootw.local OOTW\attacker
Restore legitimate SPN
setspn -S HTTP/web01.ootw.local OOTW\svc_web
setspn -S MSSQLSvc/sql01.ootw.local:1433 OOTW\svc_sql
PowerShell cleanup
Set-ADUser -Identity target.user -ServicePrincipalNames @{Remove='nonexistent/target'}
Set-ADUser -Identity svc_web -ServicePrincipalNames @{Add='HTTP/web01.ootw.local'}
After Silver Ticket exposure
Rotate the service account password or gMSA key material.
Purge tickets on affected hosts where possible.
Review service access logs because Silver Ticket use may not create a normal KDC request.
Check whether the service account key was recovered through Kerberoasting, secrets dumping, backup exposure, or local compromise.
Hardening
- Use gMSA for services where possible.
- Avoid human-managed service accounts with weak passwords.
- Limit who can write
servicePrincipalName. - Monitor additions and removals of SPNs.
- Run
setspn -Xregularly. - Use AES where possible and reduce RC4 exposure.
- Keep service SPNs owned by the actual service account.