Ghost SPN Attack Lets Hackers Conduct Stealthy Kerberoasting Under the Radar

Home Cyber Security News Ghost SPN Attack Lets Hackers Conduct Stealthy Kerberoasting Under the Radar A sophisticated evolution of Kerberoasting dubbed the “Ghost SPN” attack that allows adversaries to extract Active Directory credentials while erasing all traces of their activity, rendering traditional detection models effectively blind to the intrusion. The attack revealed by Trellix security researchers utilizes delegated administrative permissions, creating temporary exposure windows. Kerberoasting is a well-documented post-exploitation technique targeting Active Directory (AD) accounts registered with Service Principal Names (SPNs). When a Ticket Granting Service (TGS) ticket is requested for an SPN, the Kerberos Key Distribution Center (KDC) encrypts it with the target account’s NTLM hash, which attackers can extract and crack offline to recover plaintext credentials. The Ghost SPN variant takes this a step further. Rather than enumerating pre-existing service accounts, adversaries exploit delegated directory permissions, such as GenericAll object-level write access, to temporarily assign a fake SPN to an ordinary user account. This converts a standard user into an ephemeral Kerberoasting target without touching any known service account, generating zero enumeration-based alerts in the process. The Three-Phase Attack Lifecycle According to Trelix researchers, the attack unfolds across three deliberate phases: SPN Assignment (Out-of-Band): The attacker leverages write access to manually assign an arbitrary SPN (e.g., http/webapp) to a target account via PowerShell commandlets. The KDC, seeing a valid service principal, issues a TGS ticket encrypted with RC4-HMAC-MD5 — standard Kerberos behavior with no anomaly visible at the protocol level. Extraction and Offline Cracking: The TGS ticket is dumped using tools like Mimikatz and exported as a .kirbi file. Cracking occurs entirely outside the environment using tools such as Hashcat or tgsrepcrack.py, generating no authentication failures or suspicious login attempts within the target infrastructure. Cleanup and Anti-Forensics: The SPN attribute is immediately cleared, restoring the account to its original state. Without persistent indicators, defenders relying on static directory snapshots or low-fidelity audit logs cannot retroactively link the TGS request to malicious behavior. Attack Chain (Source: Trelix) This technique directly undermines detection models built around two flawed assumptions: that Kerberoasting targets are always pre-registered service accounts, and that malicious activity produces high-volume ticket request anomalies. The targeted account may have never held a service role. The SPN may exist for only seconds. When evaluated in isolation, the activity is indistinguishable from a legitimate administrative action, with a critical visibility gap in SOC stacks relying on fragmented log analysis. Mitigations Organizations should take the following immediate steps: Audit ACLs aggressively — identify and revoke GenericAll or WriteSPN permissions granted to non-administrative accounts Enable granular AD change logging — correlate msDS-ServicePrincipalName attribute modifications with downstream Kerberos ticket requests Enforce AES-only Kerberos encryption — eliminate RC4-HMAC-MD5, which is significantly more vulnerable to offline cracking Reset compromised account passwords — prioritize accounts with historical write-access exposure to privileged objects Deploy behavioral NDR tooling — static signature matching and SIEM-only approaches cannot detect ephemeral identity manipulation without cross-domain telemetry As adversaries increasingly pivot from exploiting software vulnerabilities to abusing legitimate directory permissions, a hallmark of Living-off-the-Land (LotL) tradecraft, defenders must shift focus from access attempt monitoring to continuous surveillance of identity attribute changes, especially those engineered to disappear. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign Cyber Security News Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads Cyber Security News Mirai-Based Botnets Evolve Into Massive DDoS and Proxy Abuse Threat Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026