Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Home/CyberSecurity News/Ghost SPN Attack Exploits Kerberos, Exposing User Passwords
CyberSecurity News

Ghost SPN Attack Exploits Kerberos, Exposing User Passwords

Key Takeaways A new Kerberoasting variant, “Ghost SPN,” allows attackers to steal Active Directory credentials without leaving forensic traces. The attack abuses delegated administrative...

Jennifer sherman
Jennifer sherman
March 26, 2026 3 Min Read
36 0

Key Takeaways

  • A new Kerberoasting variant, “Ghost SPN,” allows attackers to steal Active Directory credentials without leaving forensic traces.
  • The attack abuses delegated administrative permissions to temporarily assign Service Principal Names (SPNs) to ordinary user accounts.
  • Traditional detection methods are often blind to Ghost SPN due to its ephemeral nature and lack of suspicious activity.
  • Mitigation requires aggressive auditing of Active Directory ACLs, granular logging, and enforcing stronger Kerberos encryption.

Ghost SPN Attack Evades Detection to Steal Active Directory Credentials

A sophisticated new attack technique, dubbed “Ghost SPN,” has emerged as a significant threat to Active Directory (AD) environments. This advanced form of Kerberoasting enables attackers to compromise user credentials and then meticulously erase their tracks, effectively blinding conventional security systems to the intrusion.

Table Of Content

  • Key Takeaways
  • Ghost SPN Attack Evades Detection to Steal Active Directory Credentials
  • Understanding Kerberoasting and the Ghost SPN Evolution
  • The Three-Phase Attack Lifecycle
  • What You Should Do

Security researchers at Trellix were instrumental in uncovering this method, which leverages delegated administrative permissions to create fleeting windows of vulnerability within an organization’s directory services.

Understanding Kerberoasting and the Ghost SPN Evolution

Kerberoasting is a well-established post-exploitation tactic used to target Active Directory accounts that have been associated with Service Principal Names (SPNs). When a Kerberos Ticket Granting Service (TGS) ticket is requested for an SPN, the Kerberos Key Distribution Center (KDC) encrypts this ticket using the target account’s NTLM hash. Attackers can then extract this encrypted ticket and attempt to crack the hash offline to reveal plaintext passwords.

The Ghost SPN variant dramatically escalates this threat. Rather than simply identifying and exploiting pre-existing service accounts, adversaries capitalize on delegated directory permissions, such as GenericAll object-level write access. This allows them to temporarily assign a fake SPN to a regular user account. This maneuver transforms a standard user into a transient Kerberoasting target, bypassing typical enumeration-based alerts because no known service account is directly manipulated.

The Three-Phase Attack Lifecycle

According to Trellix researchers, the Ghost SPN attack unfolds in three distinct stages:

  1. SPN Assignment (Out-of-Band): In this initial phase, the attacker utilizes write access to manually assign an arbitrary SPN, such as http/webapp, to a chosen target account via PowerShell commandlets. The KDC processes this as a legitimate service principal, issuing a TGS ticket encrypted with RC4-HMAC-MD5. Crucially, this action appears as standard Kerberos behavior, with no anomalies detectable at the protocol level.
  2. Extraction and Offline Cracking: The issued TGS ticket is subsequently dumped using tools like Mimikatz and exported as a .kirbi file. The cracking process occurs entirely outside the compromised network environment, leveraging tools such as Hashcat or tgsrepcrack.py. This external operation ensures that no authentication failures or suspicious login attempts are generated within the target infrastructure.
  3. Cleanup and Anti-Forensics: Immediately after ticket extraction, the attacker clears the SPN attribute, reverting the account to its original state. This rapid cleanup leaves no persistent indicators, making it exceptionally difficult for defenders relying on static directory snapshots or low-fidelity audit logs to retrospectively link the TGS request to malicious activity.

This technique directly undermines established detection models that operate under two critical flawed assumptions: first, that Kerberoasting targets are always pre-registered service accounts, and second, that malicious activity will invariably generate a high volume of anomalous ticket requests. The target account may never have been a service account, and the SPN might exist for mere seconds. When viewed in isolation, this activity is virtually indistinguishable from a legitimate administrative action, creating a significant visibility gap for Security Operations Centers (SOCs) that depend on fragmented log analysis.

What You Should Do

Organizations must adopt proactive measures to defend against Ghost SPN and similar attacks:

  • Aggressively Audit ACLs: Regularly identify and revoke GenericAll or WriteSPN permissions granted to non-administrative accounts within Active Directory.
  • Enable Granular AD Change Logging: Implement detailed logging to correlate msDS-ServicePrincipalName attribute modifications with subsequent Kerberos ticket requests.
  • Enforce AES-Only Kerberos Encryption: Eliminate the use of RC4-HMAC-MD5 encryption, which is considerably more susceptible to offline cracking, by enforcing AES-only Kerberos encryption.
  • Reset Compromised Account Passwords: Prioritize password resets for any accounts that have had historical write-access exposure to privileged objects.
  • Deploy Behavioral NDR Tooling: Augment security stacks with behavioral Network Detection and Response (NDR) solutions, as static signature matching and SIEM-only approaches are insufficient for detecting ephemeral identity manipulation without comprehensive, cross-domain telemetry.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Mirai Botnets Evolve, Pose Massive DDoS and Proxy Abuse Threat

Next Post

Fake VS Code Security Alerts on GitHub Push Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us