CP
cyberpings
Threat IntelHIGH

Ghost SPN Attack - Stealthy Kerberoasting Exposed

CSCyber Security News
KerberoastingActive DirectoryGhost SPNTrellixMimikatz
🎯

Basically, hackers can steal passwords without being noticed by hiding their actions.

Quick Summary

A new attack method called Ghost SPN allows hackers to extract Active Directory credentials without detection. This stealthy approach poses significant risks to organizations' security. Understanding this threat is crucial for effective defense.

The Threat

The Ghost SPN attack represents a significant evolution in the realm of Kerberoasting, a technique used to exploit Active Directory (AD) environments. This new method allows adversaries to extract credentials while erasing all traces of their activity. As revealed by Trellix researchers, the attack leverages delegated administrative permissions, creating temporary exposure windows that traditional detection methods cannot catch. This stealthy approach directly undermines the assumptions that Kerberoasting only targets pre-registered service accounts.

Who's Behind It

Hackers utilizing the Ghost SPN attack exploit weaknesses in Active Directory's permission structure. By temporarily assigning a fake Service Principal Name (SPN) to a standard user account, attackers can generate a Ticket Granting Service (TGS) ticket without raising alarms. This method is particularly dangerous because it allows them to operate under the radar, making it extremely difficult for security teams to detect malicious activities. The attack unfolds in three deliberate phases, each designed to maintain stealth and avoid detection.

Tactics & Techniques

The Ghost SPN attack follows a three-phase lifecycle:

  1. SPN Assignment: Attackers manually assign an arbitrary SPN to a target account using PowerShell commandlets. The Kerberos Key Distribution Center (KDC) processes this request without raising any flags, treating it like a legitimate administrative action.
  2. Extraction and Offline Cracking: The attackers dump the TGS ticket using tools like Mimikatz, allowing them to crack the credentials offline. This phase generates no authentication failures, further hiding the attack from monitoring systems.
  3. Cleanup and Anti-Forensics: After extracting the credentials, attackers clear the SPN attribute, restoring the account to its original state. This cleanup makes it nearly impossible for defenders to link the TGS request to any malicious behavior.

Defensive Measures

Organizations need to take immediate steps to mitigate the risk posed by the Ghost SPN attack. Here are some recommended actions:

  • Audit ACLs: Identify and revoke permissions like GenericAll or WriteSPN granted to non-administrative accounts.
  • Enable Granular AD Change Logging: This helps correlate changes in SPN attributes with Kerberos ticket requests.
  • Enforce AES-Only Kerberos Encryption: Transition away from weaker encryption methods like RC4-HMAC-MD5, which are more susceptible to offline cracking.
  • Reset Compromised Account Passwords: Prioritize accounts that have had historical write-access exposure to sensitive objects.
  • Deploy Behavioral NDR Tooling: Static signature matching is insufficient; organizations must monitor identity attribute changes continuously.

As cyber adversaries shift their focus from exploiting software vulnerabilities to abusing legitimate directory permissions, organizations must adapt their defenses. Continuous monitoring and proactive measures are essential to thwart the Ghost SPN attack and similar threats.

🔒 Pro insight: This attack highlights a critical gap in traditional detection models, necessitating a shift towards monitoring identity attribute changes continuously.

Original article from

Cyber Security News · Guru Baran

Read Full Article

Share

Related Pings

HIGHThreat Intel

Pawn Storm Campaign - PRISMEX Targets Ukraine's Defense Supply Chain

The Pawn Storm campaign has launched new malware targeting Ukraine's defense systems. This attack exploits critical vulnerabilities, posing risks to military and humanitarian efforts. Organizations must enhance their defenses against these sophisticated threats.

Trend Micro Research·
HIGHThreat Intel

CCTV Espionage - Indian Government Investigates Pakistan Links

An alarming CCTV espionage operation linked to Pakistan has been uncovered in India. Cameras aimed at critical infrastructure raised serious national security concerns. Authorities are now auditing CCTV systems nationwide to prevent further breaches.

The Register Security·
HIGHThreat Intel

AI Threats - Why 'Solved' Attacks Are Dangerous Again

AI is making old cyber threats like phishing more dangerous. IronScales' Eyal Benishti explains how attackers are using AI for hyper-personalized attacks. Organizations must adapt their defenses to combat this new risk.

SC Media·
HIGHThreat Intel

Threat Intel - Managing Cyber Risk Amid Financial Attacks

ESET's Tony Anscombe discusses the rise of financially motivated cyber attacks. Organizations are at risk as ransomware gangs evolve. Learn how to manage these threats effectively.

SC Media·
HIGHThreat Intel

Cyber Threat Intelligence - New Framework Explained

A new framework for cyber threat intelligence is here! It combines threat intel with proactive strategies to help organizations reduce risk. This shift is essential for modern cybersecurity.

SC Media·
HIGHThreat Intel

Threat Intel - Greece's Government Linked to Phone Hacks

Intellexa's founder claims the Greek government ordered phone hacks. This scandal involves high-profile officials and raises serious concerns about surveillance misuse. Calls for accountability are growing amid allegations of a cover-up.

TechCrunch Security·