Service Principal Name Scanning Active Directory

Dropping these notes here as a reminder for myself and might be useful for you:

Scanning for services within Active Directory is best done utilising existing functionality to avoid detection. This is best achieved through Service Principal Names.

Sean created a resource page of useful SPNs:

His Active Directory recon code is here.

And this is a talk given by Sean earlier this year entitled: Red vs. Blue: Modern Active Directory Attacks & Defense