A sophisticated evolution of Kerberoasting dubbed the \u201cGhost SPN\u201d attack that allows adversaries to extract Active Directory credentials while erasing all traces of their activity, rendering traditional detection models effectively blind to the intrusion.<\/p>\n
The attack revealed by Trellix security researchers utilizes delegated administrative permissions, creating temporary exposure windows.<\/p>\n
Kerberoasting is a well-documented post-exploitation technique targeting Active Directory (AD) accounts<\/a> registered with Service Principal Names (SPNs).<\/p>\n When a Ticket Granting Service (TGS) ticket is requested for an SPN, the Kerberos Key Distribution Center (KDC) encrypts it with the target account\u2019s NTLM hash, which attackers can extract and crack offline to recover plaintext credentials.<\/p>\n The Ghost SPN variant takes this a step further. Rather than enumerating pre-existing service accounts, adversaries exploit delegated directory permissions, such as GenericAll object-level write access, to temporarily assign a fake SPN to an ordinary user account.<\/p>\n This converts a standard user into an ephemeral Kerberoasting target without touching any known service account, generating zero enumeration-based alerts in the process.<\/p>\n According to Trelix researchers<\/a>, the attack unfolds across three deliberate phases:<\/p>\n This technique directly undermines detection models built around two flawed assumptions: that Kerberoasting targets<\/a> are always pre-registered service accounts, and that malicious activity produces high-volume ticket request anomalies.<\/p>\n The targeted account may have never held a service role. The SPN may exist for only seconds. When evaluated in isolation, the activity is indistinguishable from a legitimate administrative action, with a critical visibility gap in SOC stacks relying on fragmented log analysis.<\/p>\n Organizations should take the following immediate steps:<\/p>\n As adversaries increasingly pivot from exploiting software vulnerabilities to abusing legitimate directory permissions, a hallmark of Living-off-the-Land (LotL) tradecraft, defenders must shift focus from access attempt monitoring to continuous surveillance of identity attribute changes, especially those engineered to disappear.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Ghost SPN Attack Lets Hackers Conduct Stealthy Kerberoasting Under the Radar<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Three-Phase Attack Lifecycle<\/strong><\/h2>\n
\n
http\/webapp<\/code>) to a target account via PowerShell commandlets. The KDC, seeing a valid service principal, issues a TGS ticket encrypted with RC4-HMAC-MD5 \u2014 standard Kerberos behavior with no anomaly visible at the protocol level.<\/li>\n.kirbi<\/code> file. Cracking occurs entirely outside the environment using tools such as Hashcat or tgsrepcrack.py<\/code>, generating no authentication failures or suspicious login attempts within the target infrastructure.<\/li>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjwy-JMkczsng5Zu98uotbiP9IPhxhEsnbKjq9PJNlJV3s7mB1ZblVyplLZ6qqaKZYQa8E-TPl2nu51AHr3IUowmaoQneQ9JNowtg0RmOEWXC2UlzhseibS0m9tEfTGqTdDJZBokHeddv-NokFz32MwNLGKlcbdjFWWacHavXJBclYzONaQo91pd3CRTEfP\/s16000\/Ghost%2520VPN%2520Attack.webp?ssl=1\")
Mitigations<\/strong><\/h2>\n
\n
GenericAll<\/code> or WriteSPN<\/code> permissions granted to non-administrative accounts<\/li>\nmsDS-ServicePrincipalName<\/code> attribute modifications with downstream Kerberos ticket requests<\/li>\n