setspn.exe

  • File Path: C:\Windows\system32\setspn.exe
  • Description: Query or reset the computer’s SPN attribute

Hashes

Type Hash
MD5 5C184D581524245DAD7A0A02B51FD2C2
SHA1 E1737531283F547AF57153D6D09BE54E023B2957
SHA256 909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1
SHA384 BF81D5EAFAC0B9DE14D3C25D403D4B2746D7B6781C643E9F765FDB1E47196D2DCF0CE5BB6D88336107780921C3EAD9CD
SHA512 516AE7B3D0ABE7C0ACB9CF419826823CCE20B5C46BF1FC60AF7CC7887745A5F8CC2A37D27663B678BEBC177CF663E234BB427701D5D462BDB4240D311A9271F6
SSDEEP 768:sY+4keaRDMP3gJtmH+9IFrf0DkvwNMq7VEe:hcDMfwOwDkX8VEe

Runtime Data

Usage (stdout):

Usage: C:\Windows\system32\setspn.exe [modifiers switch] [accountname] 
  Where "accountname" can be the name or domain\name
  of the target computer or user account

  Edit Mode Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R accountname
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN accountname
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN accountname
   -L = list SPNs registered to target account
    Usage:   setspn [-L] accountname   

  Edit Mode Modifiers:
   -C = specify that accountname is a computer account
   -U = specify that accountname is a user account
   
    Note: -C and -U are exclusive.  If neither is specified, the tool
     will interpret accountname as a computer name if such a computer
     exists, and a user name if it does not.

  Query Mode Switches:
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN 
   -X = search for duplicate SPNs
    Usage:   setspn -X 

    Note: searching for duplicates, especially forestwide, can take
     a long period of time and a large amount of memory.  -Q will execute
     on each target domain/forest.  -X will return duplicates that exist
     across all targets. SPNs are not required to be unique across forests,
     but duplicates can cause authentication issues when authenticating
     cross-forest.

  Query Mode Modifiers:
   -P = suppresses progress to the console and can be used when redirecting
    output to a file or when used in an unattended script.  There will be no
    output until the command is complete.
   -F = perform queries at the forest, rather than domain level
   -T = perform query on the speicified domain or forest (when -F is also used)
    Usage:   setspn -T domain (switches and other parameters)
     "" or * can be used to indicate the current domain or forest.

    Note: these modifiers can be used with the -S switch in order to specify
     where the check for duplicates should be performed before adding the SPN.
    Note: -T can be specified multiple times.

Examples: 
setspn -R daserver1 
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}" 
setspn -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1" 
    if no such SPN exists in the domain
setspn -D http/daserver daserver1 
   It will delete SPN "http/daserver" for computer "daserver1" 
setspn -F -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the forest
setspn -U -S http/daserver dauser 
   It will register SPN "http/daserver" for user account "dauser" 
    if no such SPN exists in the domain
setspn -T * -T bar -X
   It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
   It will find all SPNs of the form */daserver registered in the forest to
    which bar belongs

Usage (stderr):

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B
Could not find account help

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: setspn.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of setspn.exe being misused. While setspn.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_spn_enum.yml Image\|endswith: '\setspn.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md - Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md ## Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn -T #{domain_name} -Q / MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn.exe -T #{domain_name} -Q / | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.