π―Basically, hackers can steal passwords without being noticed by hiding their actions.
The Threat
The Ghost SPN attack represents a significant evolution in the realm of Kerberoasting, a technique used to exploit Active Directory (AD) environments. This new method allows adversaries to extract credentials while erasing all traces of their activity. As revealed by Trellix researchers, the attack leverages delegated administrative permissions, creating temporary exposure windows that traditional detection methods cannot catch. This stealthy approach directly undermines the assumptions that Kerberoasting only targets pre-registered service accounts.
Who's Behind It
Hackers utilizing the Ghost SPN attack exploit weaknesses in Active Directory's permission structure. By temporarily assigning a fake Service Principal Name (SPN) to a standard user account, attackers can generate a Ticket Granting Service (TGS) ticket without raising alarms. This method is particularly dangerous because it allows them to operate under the radar, making it extremely difficult for security teams to detect malicious activities. The attack unfolds in three deliberate phases, each designed to maintain stealth and avoid detection.
Tactics & Techniques
The Ghost SPN attack follows a three-phase lifecycle:
- SPN Assignment: Attackers manually assign an arbitrary SPN to a target account using PowerShell commandlets. The Kerberos Key Distribution Center (KDC) processes this request without raising any flags, treating it like a legitimate administrative action.
- Extraction and Offline Cracking: The attackers dump the TGS ticket using tools like Mimikatz, allowing them to crack the credentials offline. This phase generates no authentication failures, further hiding the attack from monitoring systems.
- Cleanup and Anti-Forensics: After extracting the credentials, attackers clear the SPN attribute, restoring the account to its original state. This cleanup makes it nearly impossible for defenders to link the TGS request to any malicious behavior.
Defensive Measures
Organizations need to take immediate steps to mitigate the risk posed by the Ghost SPN attack. Here are some recommended actions: As cyber adversaries shift their focus from exploiting software vulnerabilities to abusing legitimate directory permissions, organizations must adapt their defenses. Continuous monitoring and proactive measures are essential to thwart the Ghost SPN attack and similar threats.
Do Now
- 1.Audit ACLs: Identify and revoke permissions like GenericAll or WriteSPN granted to non-administrative accounts.
- 2.Enable Granular AD Change Logging: This helps correlate changes in SPN attributes with Kerberos ticket requests.
- 3.Enforce AES-Only Kerberos Encryption: Transition away from weaker encryption methods like RC4-HMAC-MD5, which are more susceptible to offline cracking.
Do Next
- 4.Reset Compromised Account Passwords: Prioritize accounts that have had historical write-access exposure to sensitive objects.
- 5.Deploy Behavioral NDR Tooling: Static signature matching is insufficient; organizations must monitor identity attribute changes continuously.
π Pro insight: This attack highlights a critical gap in traditional detection models, necessitating a shift towards monitoring identity attribute changes continuously.
