setspn.exe

  • File Path: C:\WINDOWS\system32\setspn.exe
  • Description: Query or reset the computer’s SPN attribute

Hashes

Type Hash
MD5 89F885676C077F7183604C2F218DC550
SHA1 889849318650EDDBDB5E81F977E018070EF56B35
SHA256 2E9AE04638485213D23B9E3A69B2663038B2B75D06DF62BA21328CFEA3F21093
SHA384 3D2A362950F639619BAEE3098DAEAFD5C12C7E120E5F3C596E7DD83E1D0C2F90874CDBC5DDC2B086B14E20CD59ACCA82
SHA512 7FEA29FC5577217AA3675AD667037B2159CCD42B8D45640AC0ABD95CF6884A84AB606EEC2558183974FB01675DE3C4743758ABA28C183A31576FE86CE32D23E2
SSDEEP 768:k0LmdkDwhuJh7yUVhjCnbtL5ed8i/JYSG2:k0LmdkpHym+NglJYSG2
IMP E6B8038038B9ABF6ACB11E0A8BE9BB84
PESHA1 5B8168E575589059442DDE059511DDF4E9CAC7B8
PE256 BE03A2EF04A7C6BAE5BF5DEFBB96A87C62902E5BEB1C963127266DE7BFC82B2E

Runtime Data

Usage (stdout):

Usage: C:\WINDOWS\system32\setspn.exe [modifiers switch] [accountname] 
  Where "accountname" can be the name or domain\name
  of the target computer or user account

  Edit Mode Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R accountname
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN accountname
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN accountname
   -L = list SPNs registered to target account
    Usage:   setspn [-L] accountname   

  Edit Mode Modifiers:
   -C = specify that accountname is a computer account
   -U = specify that accountname is a user account
   
    Note: -C and -U are exclusive.  If neither is specified, the tool
     will interpret accountname as a computer name if such a computer
     exists, and a user name if it does not.

  Query Mode Switches:
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN 
   -X = search for duplicate SPNs
    Usage:   setspn -X 

    Note: searching for duplicates, especially forestwide, can take
     a long period of time and a large amount of memory.  -Q will execute
     on each target domain/forest.  -X will return duplicates that exist
     across all targets. SPNs are not required to be unique across forests,
     but duplicates can cause authentication issues when authenticating
     cross-forest.

  Query Mode Modifiers:
   -P = suppresses progress to the console and can be used when redirecting
    output to a file or when used in an unattended script.  There will be no
    output until the command is complete.
   -F = perform queries at the forest, rather than domain level
   -T = perform query on the speicified domain or forest (when -F is also used)
    Usage:   setspn -T domain (switches and other parameters)
     "" or * can be used to indicate the current domain or forest.

    Note: these modifiers can be used with the -S switch in order to specify
     where the check for duplicates should be performed before adding the SPN.
    Note: -T can be specified multiple times.

Examples: 
setspn -R daserver1 
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}" 
setspn -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1" 
    if no such SPN exists in the domain
setspn -D http/daserver daserver1 
   It will delete SPN "http/daserver" for computer "daserver1" 
setspn -F -S http/daserver daserver1 
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the forest
setspn -U -S http/daserver dauser 
   It will register SPN "http/daserver" for user account "dauser" 
    if no such SPN exists in the domain
setspn -T * -T bar -X
   It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
   It will find all SPNs of the form */daserver registered in the forest to
    which bar belongs

Usage (stderr):

FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B
Could not find account help

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\setspn.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: setspn.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/2e9ae04638485213d23b9e3a69b2663038b2b75d06df62ba21328cfea3f21093/detection

Possible Misuse

The following table contains possible examples of setspn.exe being misused. While setspn.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_spn_enum.yml Image\|endswith: '\setspn.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md - Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md ## Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn -T #{domain_name} -Q / MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn.exe -T #{domain_name} -Q / | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.