A new iteration of the Kerberoasting attack, known as the ‘Ghost SPN,’ has emerged, allowing cybercriminals to extract Active Directory credentials while evading detection. This novel method, identified by Trellix security experts, uses delegated administrative permissions to create temporary windows of vulnerability.
Understanding the Ghost SPN Technique
Kerberoasting is a well-known tactic targeting Active Directory accounts with Service Principal Names (SPNs). When attackers request a Ticket Granting Service (TGS) ticket for an SPN, the Kerberos Key Distribution Center encrypts it using the account’s NTLM hash, which can then be cracked offline.
The Ghost SPN attack advances this technique by exploiting delegated directory permissions to assign a fake SPN to a user account, transforming it into a temporary Kerberoasting target. This method bypasses traditional alerts as it does not involve known service accounts.
The Three Phases of the Attack
The Ghost SPN attack progresses through three distinct phases. Initially, attackers use write access to assign an arbitrary SPN to a target account, prompting the KDC to issue a TGS ticket without triggering protocol-level anomalies. Next, the TGS ticket is extracted and cracked offline, avoiding detection within the target infrastructure.
The final phase involves removing the SPN attribute, returning the account to its original state. This cleanup ensures no persistent indicators are left behind, complicating detection for defenders relying on static directory snapshots or low-fidelity logs.
Defensive Strategies and Mitigations
To counteract the Ghost SPN attack, organizations should conduct thorough audits of Access Control Lists (ACLs) to identify and revoke unnecessary permissions. Enabling detailed Active Directory change logging can help correlate SPN modifications with Kerberos ticket requests.
Transitioning to AES-only Kerberos encryption and resetting passwords for potentially compromised accounts are crucial steps. Additionally, deploying behavioral Network Detection and Response (NDR) tools can enhance detection of identity manipulation tactics.
As cyber attackers increasingly exploit legitimate directory permissions, defenders must pivot from monitoring access attempts to tracking identity attribute changes continuously. This shift is vital to counteract advanced tactics like the Ghost SPN attack, which blends seamlessly with legitimate administrative actions.
Stay informed with daily cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to share your cybersecurity stories.
