setspn.exe

  • File Path: C:\windows\SysWOW64\setspn.exe
  • Description: Query or reset the computer’s SPN attribute

Hashes

Type Hash
MD5 F49B7307D15DC63A4F4848C17383E655
SHA1 B951E525098F8032E0AA26291D1D10E6CF7BDCF9
SHA256 84B7B28DB52AE454CABA76B134895EB3244295CB3A45EC40ACB9B5D653C96553
SHA384 DB450537480A83240A3505DF833BEBD3C72D9397BBE5FF6496BFDCBD508322CB1027B1E87AC3501B5E13A10E2629B396
SHA512 5DEDF00A5C320DE1496BB2D2C9165242F6460AB4472895D4299F620C0D04BEB7DCA50E7621004344B9977FEC746852C3FBB289148EDA136506E726242D4AF5EB
SSDEEP 384:Klb7NApubbjTyH7Mc3NQELSj0TXc3D23U531edYWxaWPlUI:gb7NApQ3TyH7zy+wT31SnW

Signature

  • Status: The file C:\windows\SysWOW64\setspn.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: setspn.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of setspn.exe being misused. While setspn.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_spn_enum.yml Image\|endswith: '\setspn.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md - Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md ## Atomic Test #3 - Extract all accounts in use as SPN using setspn MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn -T #{domain_name} -Q / MIT License. © 2018 Red Canary
atomic-red-team T1558.003.md setspn.exe -T #{domain_name} -Q / | Select-String ‘^CN’ -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.