Now You See It, Now You Don't: Inside the Ghost SPN Attack Bypassing Your Security

By Adam G. Tomeo · May 19, 2026

In the world of cybersecurity, kerberoasting  is a classic move. For years, it’s been a go-to method for hackers to steal corporate passwords. But recently, a far more evasive version has emerged: the Ghost SPN attack.

If that sounds like technobabble, don’t worry. Here is a plain-English breakdown of how this attack works, why it’s so hard to see, and how modern security tools are finally catching the "ghost."

The backdrop: What is kerberoasting?

To understand the "Ghost" version, we first have to understand the original.

Imagine a large office building. Instead of carrying around a heavy ring of keys, employees use a digital ticket system. When you want to use the printer or access the HR database, you ask a central ticket booth (called the domain controller) for a pass.

The ticket booth gives you an encrypted envelope. You hand that envelope to the printer. The printer unlocks it with its own secret password. You’re in.

The problem: The system is designed to be helpful. It lets almost any employee ask for an envelope for any service. However, a hacker can ask for an envelope, take it home, and use a powerful computer to try millions of passwords a second until the envelope opens. Once they have that password, they own that service.

Enter the "Ghost SPN" attack

In a standard attack, hackers target well-known services (like SQL databases). Because these are high-value targets, security teams watch them like hawks.

The Ghost SPN attack is different because it uses a "now you see it, now you don't" strategy. Here is the play-by-play:

1. The disguise: The hacker finds a regular, boring user account (like a temporary intern).
2. The label: They quickly add a service principal name (SPN) to that account. This is like putting a "V.I.P. Vault" sign on a cardboard box. For a split second, the system thinks that an intern account is a high-value asset.
3. The grab: The hacker immediately requests a ticket (the encrypted envelope) for that fake service.
4. The vanishing act: As soon as they have the envelope, they delete the "V.I.P." sign. The account goes back to looking like a boring intern account.

By the time a security officer walks by to check the logs, there’s no "service" to be found. The evidence has turned into a “ghost.”

Why traditional security misses it

Most security software works like a static camera—it looks for "broken windows" or "missing locks."

• It’s too fast: The entire label-and-delete process can happen in seconds.
• It’s too quiet: The hacker isn't "breaking in;” they are asking the system to do exactly what it was designed to do.
• It’s "normal": Admin changes happen all the time in big companies. One small change to a user account often gets lost in the noise of thousands of other daily updates.

How we catch a ghost

So, how do you stop an attacker who leaves no footprints? You stop looking at the signs on the doors and start looking at the behavior of the crowd.

Advanced security tools, like Trellix NDR (Network Detection and Response), act more like a high-tech detective than a static camera. Instead of just looking for service accounts, it watches for three red flags:

1. Weakened encryption: To make the "envelope" easier to crack later, hackers often force the system to use old, weak encryption.Trellix NDR notices this "downgrade".
2. Strange timing: It notices the coincidence of a user account being modified exactly one second before a service ticket is requested.
3. Impossible behavior: It recognizes that "intern account A" has no business requesting a high-level service ticket, especially for a service that didn't exist five minutes ago.

The bottom line

The Ghost SPN attack is a clever evolution of an old trick, designed to bypass the "eyes" of traditional security. However, by monitoring the underlying behavior of the network rather than just the names of the accounts, organizations can expose the ghost before credentials are cracked and weaponized.

To see how Trellix can help detect Ghost SPN and other malicious attacks, request a demo.