A more advanced version of Kerberoasting lets attackers get Active Directory credentials while leaving no evidence of their actions. The attack that Trellix security researchers found uses delegated administrative permissions to create temporary exposure windows. This method goes against two false assumptions that detection models are based on: that Kerberos targets are always pre-registered service accounts and that malicious activity causes a lot of ticket request anomalies.
Defenders who use static directory snapshots or low-fidelity audit logs can't connect the TGS request to bad behavior after the fact if there aren't any persistent indicators.
Trelix researchers say that as attackers move from exploiting software flaws to abusing legitimate directory permissions, a common tactic in Living-off-the-Land (LotL) tradecraft, defenders need to stop monitoring access attempts and start constantly watching for changes to identity attributes, especially those that are meant to disappear. The Ghost SPN attack happens in three planned steps: Assignment of SPN (Out-of-Band): The attacker uses write access to give a random SPN (like http/webapp) to a target account through PowerShell commandlets. You can use tools like Mimikatz to dump the TGS ticket and save it as a .kirbi file.
Cracking happens completely outside of the environment with tools like Hashcat or tgsrepcrack.py. This means that there are no failed authentications or strange login attempts within the target infrastructure.
The SPN attribute is quickly removed, bringing the account back to how it was before. When looked at on its own, the activity looks just like a real administrative action, and SOC stacks that rely on fragmented log analysis have a big gap in visibility. Businesses should do the following right away: Be very careful when auditing ACLs.
Find and take away GenericAll or WriteSPN permissions that have been given to accounts that are not administrators.
