| SPN class | Primary service | Normal use | Adversarial role | Common tools | Notes |
|---|---|---|---|---|---|
cifs/host | SMB file sharing and admin shares | File shares, named pipes, service control over SMB | Lateral movement, admin share access, PsExec-style execution, Silver Ticket target | smbclient, psexec.py, smbexec.py, wmiexec.py, Rubeus | One of the most useful service tickets for host takeover when the impersonated user is local admin |
HOST/host | Generic host service class | Generic Windows host authentication | Fallback for multiple host services, Silver Ticket target, service-name substitution target | Rubeus, ticketer.py, Windows native clients | Often exists on computer accounts and can be accepted by several host-backed services |
HTTP/host | HTTP services, IIS, WinRM, ADCS web endpoints, Exchange web paths | Kerberos web authentication | WinRM access, ADCS web enrollment, web SSO abuse, Silver Ticket target, delegation target | evil-winrm, curl --negotiate, Rubeus, getST.py | WinRM often uses HTTP SPNs even when the transport is 5985 or 5986 |
WSMAN/host | WinRM service class in some environments | Remote management | WinRM-oriented ticket target and substitution candidate | Rubeus, getST.py, evil-winrm | HTTP/host is usually the first WinRM SPN to test |
ldap/dc | LDAP on a domain controller | Directory queries and AD operations | LDAP bind as another user, DCSync-adjacent workflows, RBCD/ACL modification after delegation | ldapsearch, bloodyAD, Rubeus, getST.py | High-value on DCs because LDAP writes can become domain-impacting |
GC/dc | Global Catalog | Forest-wide queries on 3268 and 3269 | Cross-domain discovery, trust and forest enumeration | ldapsearch, PowerShell AD cmdlets | Usually enumeration value, not direct code execution |
MSSQLSvc/host:port | Microsoft SQL Server | SQL integrated authentication | Kerberoasting, SQL lateral movement, SQL command execution paths, Silver Ticket target | GetUserSPNs.py, mssqlclient.py, Rubeus, ticketer.py | User-owned SQL SPNs are classic roast targets |
TERMSRV/host | Remote Desktop Services | RDP Kerberos authentication | RDP access with forged or delegated ticket | xfreerdp, Rubeus, getST.py | Useful when interactive desktop access is allowed |
RPCSS/host | RPC endpoint mapper and DCOM | RPC and WMI/DCOM operations | WMI/DCOM authentication support, substitution candidate | Windows RPC clients, Rubeus | Often appears with HOST and RestrictedKrbHost on computer accounts |
RestrictedKrbHost/host | Restricted host authentication | Restricted delegation and host auth paths | Delegation edge cases and host authentication analysis | setspn, LDAP, BloodHound | Usually more important for understanding computer SPN sets than for direct first-choice abuse |
DNS/dc | DNS server service | Kerberos-backed DNS service auth | DNS service targeting and service account mapping | setspn, LDAP | Usually owned by DC computer account |
time/host | Windows time service | Time synchronization | Delegation substitution source in labs, S4U target edge cases | getST.py, Rubeus | Often not useful directly, but can become useful with altservice |
exchangeMDB/host | Exchange mailbox database | Exchange backend authentication | Exchange service access, roast target if user-owned | Exchange tooling, GetUserSPNs.py | Exchange environments register many service-specific SPNs |
MSSQLSvc/host/instance | SQL named instance variant | SQL integrated authentication | SQL Kerberoasting and service-ticket targeting | GetUserSPNs.py, mssqlclient.py | Always request the exact SPN registered in AD |
Operational priority
| Goal | First SPN to try | Why |
|---|---|---|
| SMB file access | cifs/target.ootw.local | SMB expects CIFS tickets |
| PsExec-style movement | cifs/target.ootw.local | Service creation and admin shares use SMB |
| WinRM shell | HTTP/target.ootw.local | WinRM commonly authenticates with HTTP SPNs |
| LDAP modification | ldap/dc01.ootw.local | LDAP ticket is needed for directory operations |
| SQL access | MSSQLSvc/sql01.ootw.local:1433 | SQL uses MSSQLSvc with host and port or instance |
| RDP access | TERMSRV/target.ootw.local | RDP expects TERMSRV |
| Generic host access | HOST/target.ootw.local | Some services accept HOST as a generic host class |
| ADCS web enrollment | HTTP/ca.ootw.local | ADCS web enrollment is HTTP-backed |
| Delegation follow-up | The final service we want to access | S4U2Proxy returns a service ticket to the target SPN |
Attack Matrix
| Attack | SPN role | Required control | Main command | Result | Cleanup |
|---|---|---|---|---|---|
| Kerberoasting | Existing user-owned SPN identifies roastable account | Any domain user | GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request | Offline TGS hash for service account | Rotate cracked service password |
| Targeted Kerberoasting | Temporarily added SPN makes a user roastable | Write access to servicePrincipalName | targetedKerberoast.py -d ootw.local -u student -p 'student' --request-user target.user | Offline TGS hash for target user | Remove added SPN |
| Silver Ticket | SPN defines forged service ticket target | Service account key and domain SID | ticketer.py -nthash SERVICE_NTLM -spn cifs/ws01.ootw.local | Service access without KDC request | Rotate service account key |
| S4U constrained delegation | SPN is allowed target in msDS-AllowedToDelegateTo | Delegating account key | getST.py -spn cifs/web01.ootw.local -impersonate Administrator | Impersonated service ticket | Remove delegation or rotate delegating account |
| RBCD | Controlled principal needs an SPN | Write to target msDS-AllowedToActOnBehalfOfOtherIdentity | getST.py -spn cifs/target01.ootw.local -impersonate Administrator | Service ticket to target as chosen user | Remove RBCD security descriptor |
| Service-name substitution | Original SPN can be swapped to better service class | Valid delegated ticket and same service key context | getST.py -spn time/dc01.ootw.local -altservice cifs/dc01.ootw.local | More useful service ticket | Remove delegation path |
| SPN-jacking | SPN moved from one account to another | Rights to remove and add SPNs | setspn -D oldspn oldaccount then setspn -S oldspn newaccount | Service ticket encrypted to attacker-controlled account | Restore original SPN owner |
| Duplicate SPN abuse | Duplicate or conflicting SPN breaks or redirects Kerberos | SPN write rights | setspn -S service/host account | Kerberos confusion or service outage | Remove duplicate and fix ownership |
Account ownership matrix
| SPN owner | Offensive value | Typical risk |
|---|---|---|
| User service account | Kerberoasting, Silver Ticket if hash is recovered, delegation abuse if configured | Weak or reused service account password |
| Computer account | Host service tickets, RBCD, machine-account delegation, host movement when machine key is known | Machine secrets and delegation settings |
| gMSA | Service account with managed strong password | Lower Kerberoast value, but still important for delegation and ownership mapping |
| Domain controller computer account | LDAP, CIFS, HOST, GC, DNS, replication-oriented services | Tier 0 impact if ticket or key is obtained |
| Attacker-controlled machine account | RBCD and S4U staging | MachineAccountQuota and SPN-bearing principal creation |
Failure matrix
| Symptom | Likely cause | Fix |
|---|---|---|
KRB_AP_ERR_MODIFIED | Ticket encrypted to one account but service runs under another | Verify SPN ownership and hostname used by client |
| Service rejects ticket | Wrong service class or hostname | Request the exact SPN the service expects |
KDC_ERR_S_PRINCIPAL_UNKNOWN | SPN not registered | Query setspn -Q or LDAP and request an existing SPN |
| S4U fails | Delegation does not allow requested SPN | Check msDS-AllowedToDelegateTo or RBCD target SD |
| Kerberoast returns nothing | No user-owned SPNs or bad query | Enumerate servicePrincipalName=* through LDAP first |
| Silver Ticket works for one service only | Silver Tickets are SPN-scoped | Forge a ticket for the correct service SPN |