Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals

SPN Matrix

SPN classPrimary serviceNormal useAdversarial roleCommon toolsNotes
cifs/hostSMB file sharing and admin sharesFile shares, named pipes, service control over SMBLateral movement, admin share access, PsExec-style execution, Silver Ticket targetsmbclient, psexec.py, smbexec.py, wmiexec.py, RubeusOne of the most useful service tickets for host takeover when the impersonated user is local admin
HOST/hostGeneric host service classGeneric Windows host authenticationFallback for multiple host services, Silver Ticket target, service-name substitution targetRubeus, ticketer.py, Windows native clientsOften exists on computer accounts and can be accepted by several host-backed services
HTTP/hostHTTP services, IIS, WinRM, ADCS web endpoints, Exchange web pathsKerberos web authenticationWinRM access, ADCS web enrollment, web SSO abuse, Silver Ticket target, delegation targetevil-winrm, curl --negotiate, Rubeus, getST.pyWinRM often uses HTTP SPNs even when the transport is 5985 or 5986
WSMAN/hostWinRM service class in some environmentsRemote managementWinRM-oriented ticket target and substitution candidateRubeus, getST.py, evil-winrmHTTP/host is usually the first WinRM SPN to test
ldap/dcLDAP on a domain controllerDirectory queries and AD operationsLDAP bind as another user, DCSync-adjacent workflows, RBCD/ACL modification after delegationldapsearch, bloodyAD, Rubeus, getST.pyHigh-value on DCs because LDAP writes can become domain-impacting
GC/dcGlobal CatalogForest-wide queries on 3268 and 3269Cross-domain discovery, trust and forest enumerationldapsearch, PowerShell AD cmdletsUsually enumeration value, not direct code execution
MSSQLSvc/host:portMicrosoft SQL ServerSQL integrated authenticationKerberoasting, SQL lateral movement, SQL command execution paths, Silver Ticket targetGetUserSPNs.py, mssqlclient.py, Rubeus, ticketer.pyUser-owned SQL SPNs are classic roast targets
TERMSRV/hostRemote Desktop ServicesRDP Kerberos authenticationRDP access with forged or delegated ticketxfreerdp, Rubeus, getST.pyUseful when interactive desktop access is allowed
RPCSS/hostRPC endpoint mapper and DCOMRPC and WMI/DCOM operationsWMI/DCOM authentication support, substitution candidateWindows RPC clients, RubeusOften appears with HOST and RestrictedKrbHost on computer accounts
RestrictedKrbHost/hostRestricted host authenticationRestricted delegation and host auth pathsDelegation edge cases and host authentication analysissetspn, LDAP, BloodHoundUsually more important for understanding computer SPN sets than for direct first-choice abuse
DNS/dcDNS server serviceKerberos-backed DNS service authDNS service targeting and service account mappingsetspn, LDAPUsually owned by DC computer account
time/hostWindows time serviceTime synchronizationDelegation substitution source in labs, S4U target edge casesgetST.py, RubeusOften not useful directly, but can become useful with altservice
exchangeMDB/hostExchange mailbox databaseExchange backend authenticationExchange service access, roast target if user-ownedExchange tooling, GetUserSPNs.pyExchange environments register many service-specific SPNs
MSSQLSvc/host/instanceSQL named instance variantSQL integrated authenticationSQL Kerberoasting and service-ticket targetingGetUserSPNs.py, mssqlclient.pyAlways request the exact SPN registered in AD

Operational priority

GoalFirst SPN to tryWhy
SMB file accesscifs/target.ootw.localSMB expects CIFS tickets
PsExec-style movementcifs/target.ootw.localService creation and admin shares use SMB
WinRM shellHTTP/target.ootw.localWinRM commonly authenticates with HTTP SPNs
LDAP modificationldap/dc01.ootw.localLDAP ticket is needed for directory operations
SQL accessMSSQLSvc/sql01.ootw.local:1433SQL uses MSSQLSvc with host and port or instance
RDP accessTERMSRV/target.ootw.localRDP expects TERMSRV
Generic host accessHOST/target.ootw.localSome services accept HOST as a generic host class
ADCS web enrollmentHTTP/ca.ootw.localADCS web enrollment is HTTP-backed
Delegation follow-upThe final service we want to accessS4U2Proxy returns a service ticket to the target SPN

Attack Matrix

AttackSPN roleRequired controlMain commandResultCleanup
KerberoastingExisting user-owned SPN identifies roastable accountAny domain userGetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -requestOffline TGS hash for service accountRotate cracked service password
Targeted KerberoastingTemporarily added SPN makes a user roastableWrite access to servicePrincipalNametargetedKerberoast.py -d ootw.local -u student -p 'student' --request-user target.userOffline TGS hash for target userRemove added SPN
Silver TicketSPN defines forged service ticket targetService account key and domain SIDticketer.py -nthash SERVICE_NTLM -spn cifs/ws01.ootw.localService access without KDC requestRotate service account key
S4U constrained delegationSPN is allowed target in msDS-AllowedToDelegateToDelegating account keygetST.py -spn cifs/web01.ootw.local -impersonate AdministratorImpersonated service ticketRemove delegation or rotate delegating account
RBCDControlled principal needs an SPNWrite to target msDS-AllowedToActOnBehalfOfOtherIdentitygetST.py -spn cifs/target01.ootw.local -impersonate AdministratorService ticket to target as chosen userRemove RBCD security descriptor
Service-name substitutionOriginal SPN can be swapped to better service classValid delegated ticket and same service key contextgetST.py -spn time/dc01.ootw.local -altservice cifs/dc01.ootw.localMore useful service ticketRemove delegation path
SPN-jackingSPN moved from one account to anotherRights to remove and add SPNssetspn -D oldspn oldaccount then setspn -S oldspn newaccountService ticket encrypted to attacker-controlled accountRestore original SPN owner
Duplicate SPN abuseDuplicate or conflicting SPN breaks or redirects KerberosSPN write rightssetspn -S service/host accountKerberos confusion or service outageRemove duplicate and fix ownership

Account ownership matrix

SPN ownerOffensive valueTypical risk
User service accountKerberoasting, Silver Ticket if hash is recovered, delegation abuse if configuredWeak or reused service account password
Computer accountHost service tickets, RBCD, machine-account delegation, host movement when machine key is knownMachine secrets and delegation settings
gMSAService account with managed strong passwordLower Kerberoast value, but still important for delegation and ownership mapping
Domain controller computer accountLDAP, CIFS, HOST, GC, DNS, replication-oriented servicesTier 0 impact if ticket or key is obtained
Attacker-controlled machine accountRBCD and S4U stagingMachineAccountQuota and SPN-bearing principal creation

Failure matrix

SymptomLikely causeFix
KRB_AP_ERR_MODIFIEDTicket encrypted to one account but service runs under anotherVerify SPN ownership and hostname used by client
Service rejects ticketWrong service class or hostnameRequest the exact SPN the service expects
KDC_ERR_S_PRINCIPAL_UNKNOWNSPN not registeredQuery setspn -Q or LDAP and request an existing SPN
S4U failsDelegation does not allow requested SPNCheck msDS-AllowedToDelegateTo or RBCD target SD
Kerberoast returns nothingNo user-owned SPNs or bad queryEnumerate servicePrincipalName=* through LDAP first
Silver Ticket works for one service onlySilver Tickets are SPN-scopedForge a ticket for the correct service SPN