Enumerate through Service Principal Names

# Lists all Service Principal Names registered to a specific user account in Active Directory (AD).
setspn -L <username>

# This command helps identify which services are associated with a particular service account, providing insights into the applications and their configurations within the domain.

# Retrieves all user accounts in the domain that have Service Principal Names associated with them and selects relevant attributes (SAM account name and SPN).
Get-NetUser -SPN | select samaccountname,serviceprincipalname
# This command allows for bulk enumeration of SPNs across the domain, making it easier to gather service account information, which may indicate potential targets for further investigation or exploitation.

This will be helpful while creating Silver Tickets.

PreviousEnumerate permissions and logged-on users NextEnumerate Object Permissions

Last updated 1 year ago