Just creating this one as well, I hope that's no problem for you.
The existing WriteSPN(user) chain correctly models targeted Kerberoasting:
WriteSPN(user) -> ::WriteSPN -> ::Kerberoasting -> apply_with_cracked_passwd
There is no equivalent chain for computer objects. If an attacker has WriteSPN, GenericWrite, or WriteDacl on a computer account, they can set an arbitrary SPN and request a roastable TGS - the same primitive as the user case, no KCD or second controlled machine required.
Note: this is distinct from SPN-Jacking (implemented in #7) - it is the simpler baseline WriteSPN abuse case mentioned at the end of that PR thread
Just creating this one as well, I hope that's no problem for you.
The existing WriteSPN(user) chain correctly models targeted Kerberoasting:
There is no equivalent chain for computer objects. If an attacker has WriteSPN, GenericWrite, or WriteDacl on a computer account, they can set an arbitrary SPN and request a roastable TGS - the same primitive as the user case, no KCD or second controlled machine required.
Note: this is distinct from SPN-Jacking (implemented in #7) - it is the simpler baseline WriteSPN abuse case mentioned at the end of that PR thread