Skip to main content
Support
IntermediateT1558.003

SPN Scanning & Service Discovery

Service Principal Names let attackers discover every service running in your domain -- including SQL servers, web apps, and Exchange -- without sending a single network scan packet.

Every service that uses Kerberos authentication in Active Directory registers a Service Principal Name (SPN). Think of it as a label that says "I am a SQL server running on server01." When attackers query the directory for all SPNs, they get a complete inventory of every service in the domain -- without running any network scans that might trigger alerts. This is stealthier than port scanning because it is just a normal directory query. The attacker then knows exactly which services to target and, critically, which accounts run those services (important for Kerberoasting).

Instead of walking around every floor to find who does what, you simply look up the company phone directory. It lists every employee along with their job title and department. SPN scanning works the same way: rather than performing noisy port scans across the network, attackers query Active Directory's service directory to discover every registered service -- SQL databases, web servers, mail servers, and more. The directory tells them not only what services exist, but exactly which server hosts them and which account runs them.

Key Takeaways

  1. SPN scanning discovers all Kerberos-authenticated services without network port scanning.
  2. Services running under user accounts with SPNs are vulnerable to Kerberoasting.
  3. The LDAP query is normal directory traffic, making detection difficult.
  4. Group Managed Service Accounts (gMSAs) eliminate the risk by using auto-rotated complex passwords.
  5. SPN scanning is the direct precursor to Kerberoasting attacks.
Why Should I Care?

SPN scanning reveals the attack surface for Kerberoasting, one of the most common and effective AD attacks. Knowing your SPN landscape is essential for defense.

Defense Recommendations

Reduce the SPN attack surface and make cracking impractical with managed service accounts.

  1. 1Migrate service accounts to Group Managed Service Accounts (gMSAs) wherever possible.
  2. 2Audit all user accounts with SPNs: Get-ADUser -Filter {servicePrincipalName -like "*"} -Properties servicePrincipalName.
  3. 3Remove unnecessary SPNs from user accounts.
  4. 4Ensure service account passwords are 25+ characters and randomly generated.
  5. 5Monitor for high-volume SPN queries from non-administrative workstations.

Related Topics

AD Enumeration Without Admin RightsKerberoasting Deep DiveService Principal Names
Sources
AD Enumeration Without Admin Rights
Password Spraying & Brute Force
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org