setspn.exe
- File Path:
C:\Windows\system32\setspn.exe
- Description: Query or reset the computer’s SPN attribute
Hashes
Type | Hash |
---|---|
MD5 | 5C184D581524245DAD7A0A02B51FD2C2 |
SHA1 | E1737531283F547AF57153D6D09BE54E023B2957 |
SHA256 | 909C2DDF06CFEB1F79004DBB5E9B9D36B693CFDFF3459E0A6A51616B2AD6D2D1 |
SHA384 | BF81D5EAFAC0B9DE14D3C25D403D4B2746D7B6781C643E9F765FDB1E47196D2DCF0CE5BB6D88336107780921C3EAD9CD |
SHA512 | 516AE7B3D0ABE7C0ACB9CF419826823CCE20B5C46BF1FC60AF7CC7887745A5F8CC2A37D27663B678BEBC177CF663E234BB427701D5D462BDB4240D311A9271F6 |
SSDEEP | 768:sY+4keaRDMP3gJtmH+9IFrf0DkvwNMq7VEe:hcDMfwOwDkX8VEe |
Runtime Data
Usage (stdout):
Usage: C:\Windows\system32\setspn.exe [modifiers switch] [accountname]
Where "accountname" can be the name or domain\name
of the target computer or user account
Edit Mode Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R accountname
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN accountname
-D = delete arbitrary SPN
Usage: setspn -D SPN accountname
-L = list SPNs registered to target account
Usage: setspn [-L] accountname
Edit Mode Modifiers:
-C = specify that accountname is a computer account
-U = specify that accountname is a user account
Note: -C and -U are exclusive. If neither is specified, the tool
will interpret accountname as a computer name if such a computer
exists, and a user name if it does not.
Query Mode Switches:
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X
Note: searching for duplicates, especially forestwide, can take
a long period of time and a large amount of memory. -Q will execute
on each target domain/forest. -X will return duplicates that exist
across all targets. SPNs are not required to be unique across forests,
but duplicates can cause authentication issues when authenticating
cross-forest.
Query Mode Modifiers:
-P = suppresses progress to the console and can be used when redirecting
output to a file or when used in an unattended script. There will be no
output until the command is complete.
-F = perform queries at the forest, rather than domain level
-T = perform query on the speicified domain or forest (when -F is also used)
Usage: setspn -T domain (switches and other parameters)
"" or * can be used to indicate the current domain or forest.
Note: these modifiers can be used with the -S switch in order to specify
where the check for duplicates should be performed before adding the SPN.
Note: -T can be specified multiple times.
Examples:
setspn -R daserver1
It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the domain
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the forest
setspn -U -S http/daserver dauser
It will register SPN "http/daserver" for user account "dauser"
if no such SPN exists in the domain
setspn -T * -T bar -X
It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
It will find all SPNs of the form */daserver registered in the forest to
which bar belongs
Usage (stderr):
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B
Could not find account help
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC
- Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: setspn.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of setspn.exe
being misused. While setspn.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_spn_enum.yml | Image\|endswith: '\setspn.exe' |
DRL 1.0 |
atomic-red-team | index.md | - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | - Atomic Test #3 - Extract all accounts in use as SPN using setspn | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | ## Atomic Test #3 - Extract all accounts in use as SPN using setspn | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | setspn -T #{domain_name} -Q / | MIT License. © 2018 Red Canary |
atomic-red-team | T1558.003.md | setspn.exe -T #{domain_name} -Q / | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.