{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/adcs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20929"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["kerberos","relay","adcs","cve-2026-20929","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20929, a vulnerability patched in January 2026, allows attackers to perform Kerberos authentication relay attacks by abusing DNS CNAME records. The attack involves manipulating DNS resolution to redirect a client\u0026rsquo;s Kerberos authentication request to an attacker-controlled server. This server then relays the authentication to Active Directory Certificate Services (AD CS) to enroll certificates on behalf of the victim user. This technique allows the attacker to gain persistent access to the domain. The vulnerability has a CVSS score of 7.5. This attack is a Kerberos-based variant of the ESC8 attack, which traditionally relies on NTLM relay. By exploiting Kerberos, the attack can bypass environments where NTLM has been disabled. The primary target is the AD CS web enrollment endpoint (/certsrv).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim attempts to access a web server (e.g., web01.test.local).\u003c/li\u003e\n\u003cli\u003eA DNS query is initiated to resolve the hostname of the target web server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the DNS query and responds with a crafted DNS response containing a CNAME record that redirects the original hostname (web01.test.local) to an attacker-controlled target (e.g., CA01.test.local), along with an A record pointing to the attacker\u0026rsquo;s IP address.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s system accesses the attacker-controlled web server.\u003c/li\u003e\n\u003cli\u003eThe malicious web server sends a 401 HTTP response to initiate Kerberos authentication.\u003c/li\u003e\n\u003cli\u003eThe victim requests a Kerberos service ticket for HTTP/CA01.test.local from the domain controller.\u003c/li\u003e\n\u003cli\u003eThe domain controller issues a service ticket for the requested SPN.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to the AD CS web enrollment endpoint (/certsrv) to request a certificate for the victim user, thereby achieving persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20929 allows an attacker to enroll certificates on behalf of domain users, granting them persistent access to the network. Certificates are often valid for extended periods (1+ years) and are less frequently monitored than password-based authentication. This attack can bypass controls that disable NTLM authentication, and web enrollment over HTTP prevents Channel Binding Token (CBT) protection, making AD CS web enrollment an attractive relay target. The number of potential victims depends on the number of vulnerable AD CS deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for anomalous certificate-based authentication events combined with unusual AD CS service access within a short time window, as highlighted in the \u0026ldquo;CrowdStrike has developed a correlation-based detection\u0026rdquo; statement in the overview.\u003c/li\u003e\n\u003cli\u003eDisable web enrollment over HTTP to enforce Channel Binding Token (CBT) protection, mitigating the risk of successful relay attacks, as mentioned in the \u0026ldquo;Why AD CS Web Enrollment Is an Attractive Relay Target\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden AD CS configurations based on recommendations from \u0026ldquo;Certified Pre-Owned\u0026rdquo; research to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T17:49:30Z","date_published":"2026-03-31T17:49:30Z","id":"/briefs/2026-04-kerberos-relay-cname/","summary":"An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.","title":"Kerberos Authentication Relay via DNS CNAME Abuse (CVE-2026-20929)","url":"https://feed.craftedsignal.io/briefs/2026-04-kerberos-relay-cname/"}],"language":"en","title":"CraftedSignal Threat Feed — Adcs","version":"https://jsonfeed.org/version/1.1"}