Ghost SPNs and Kerberos reflection: are your SMB controls enough?

TL;DR: Ghost SPNs can let a low-privilege domain user reflect Kerberos authentication back to a target host and reach SYSTEM-level access when SMB signing is not enforced, according to Semperis. The issue shows that SPN hygiene, DNS write permissions, and protocol hardening still determine whether relay-style attacks remain viable.

NHIMG editorial — based on content published by Semperis: Ghost SPNs, Kerberos reflection, and SMB elevation of privilege

By the numbers:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: How should security teams handle Ghost SPNs in Active Directory?

A: Treat Ghost SPNs as stale identity objects with attack potential, not as harmless cleanup items.

Q: Why do unresolved SPNs increase relay risk in Windows environments?

A: Unresolved SPNs create a mismatch between directory trust and actual service reachability.

Q: What breaks when SMB signing is not enforced on domain-joined systems?

A: Without SMB signing, the server has a weaker guarantee that the authentication exchange it receives is authentic and untampered.

Practitioner guidance

• Audit unresolved SPNs across the domain Inventory HOST and CIFS SPNs that point to names no longer resolvable in DNS, then remove or correct them before they can be registered by an attacker.
• Restrict arbitrary DNS record creation Remove the default ability for standard users to register DNS records where business requirements do not justify it.
• Enforce SMB signing on every domain-joined system Verify that SMB signing is required on servers and clients, not only on domain controllers.

What's in the full article

Semperis's full article covers the implementation detail this post intentionally leaves for the source:

• Packet-level walkthrough of the Kerberos reflection sequence and how the AP-REQ is replayed to SMB.
• Patch-level analysis of the SRV2.SYS changes that block non-local connections in the vulnerable session setup path.
• Hands-on mitigation notes for auditing SPNs, constraining DNS writes, and validating SMB signing coverage.
• Disclosure timeline and Microsoft response details for CVE-2025-58726.

👉 Read Semperis's analysis of Ghost SPNs and Kerberos reflection risk →

Ghost SPNs and Kerberos reflection: are your SMB controls enough?

Explore further

View Full Forum →  |  NHI Foundation Course →