Service Discovery without Network Scanning

SPN Scanning

SPN Scanning asks the Domain Controller for all Service Principal Names (SPNs) of a specific type. This enables an attacker to discover all SQL servers, Exchange servers, etc. Here is a list of common Active Directory SPNs:

SPNsActive Directory & Azure AD/Entra ID Security

SPN scanning can also discover what Windows computers have RDP enabled (TERMSERV) and WinRM enabled (WSMAN).

Discover Enterprise Services

Get-ADComputer -filter {ServicePrincipalName -like "*TERMSRV*"} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation

PreviousDomain and Forest Information NextService Account Discovery

Last updated 9 months ago