Making Diamonds from coal: Expanding Kerberoasting Targets with GenericWrite

GenericWrite privilege on an account can open up new AD pentesting possibilities by allowing you to create Kerberoasting targets from accounts that otherwise wouldn’t be vulnerable.

Kerberoasting is a popular attack technique that leverages Kerberos service tickets to extract password hashes from accounts with configured Service Principal Names (SPNs). Typically, Kerberoasting targets service accounts, such as those used by MSSQL servers or web applications, which have SPNs set in Active Directory (AD) by default. But what if we don’t have an account with an SPN set? Not all is lost. If we’ve compromised a user account with GenericWrite privileges over a target account, we can abuse this privilege to add an SPN, allowing us to obtain a Kerberos ticket hash for the target account.

What is the GenericWrite Privilege?

In Active Directory, the GenericWrite privilege provides the ability to modify certain attributes of a specific user account. With GenericWrite access to an account, you can add or alter attributes, including the Service Principal Name (SPN) attribute. This privilege enables creative attacks by expanding the scope of accounts that can be targeted for Kerberoasting, even if they don’t serve a typical “service” role. Here’s how this…