Enumerate through Service Principal Names

# Lists all Service Principal Names registered to a specific user account in Active Directory (AD).
setspn -L <username>

# This command helps identify which services are associated with a particular service account, providing insights into the applications and their configurations within the domain.

# Retrieves all user accounts in the domain that have Service Principal Names associated with them and selects relevant attributes (SAM account name and SPN).
Get-NetUser -SPN | select samaccountname,serviceprincipalname
# This command allows for bulk enumeration of SPNs across the domain, making it easier to gather service account information, which may indicate potential targets for further investigation or exploitation.