Kerberos — CraftedSignal Threat Feed

Potential Kerberos SPN Spoofing via Suspicious DNS Query

hello@craftedsignal.io — Fri, 01 May 2026 17:31:25 +0000

This detection identifies a specific pattern in DNS queries indicative of Kerberos SPN spoofing, a technique used to coerce systems into authenticating to attacker-controlled hosts. The pattern “UWhRCA…BAAAA” represents a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers exploit this by crafting malicious DNS names to trick victim systems into requesting Kerberos tickets for legitimate services, often their own identity, but directed towards an attacker-controlled endpoint. This can lead to Kerberos relay or NTLM reflection/relay attacks, bypassing normal NTLM fallback mechanisms. The technique is associated with tools like RemoteKrbRelay and wspcoerce. This activity has been observed in various attacks targeting Windows environments where Kerberos authentication is prevalent. Defenders need to detect and mitigate this early stage of credential access.

Attack Chain

The attacker identifies a target Windows system within the network.
The attacker sets up a malicious server to receive coerced authentication requests.
The attacker crafts a malicious DNS query containing a base64-encoded blob “UWhRCA…BAAAA” representing a marshaled CREDENTIAL_TARGET_INFORMATION structure.
The victim system, triggered by an external factor (e.g., RPC call, scheduled task, or web request), attempts to resolve the crafted DNS name.
The malicious DNS query is sent to the DNS server, which resolves to the attacker’s server.
The victim system initiates a Kerberos authentication request to the attacker’s server, believing it to be a legitimate service.
The attacker’s server relays the Kerberos ticket or uses NTLM reflection/relay techniques to gain unauthorized access.
The attacker compromises the victim system or pivots to other systems within the network using the stolen credentials.

Impact

Successful exploitation can lead to credential compromise, lateral movement, and domain takeover. Victims in Active Directory environments are particularly vulnerable. The impact includes unauthorized access to sensitive data, disruption of services, and potential ransomware deployment. If the coerced service has high privileges, the attacker can gain complete control over the compromised system or even the entire domain. Organizations using Kerberos authentication are at risk.

Recommendation

Deploy the “Potential Kerberos SPN Spoofing via Suspicious DNS Query” rule to your SIEM and tune for your environment to detect malicious DNS queries.
Enable Sysmon Event ID 22 - DNS Query logging to provide the necessary data for detection.
Investigate and block any DNS queries resolving to external IPs that contain the “UWhRCA…BAAAA” pattern.
Monitor process creation events for processes initiating DNS queries containing the suspicious pattern, specifically looking for known coercion tools.
Implement network segmentation to limit the impact of lateral movement if a system is compromised.
Review and harden Kerberos configurations to prevent SPN spoofing and relay attacks.

Windows Kerberos Improper Authorization Privilege Escalation (CVE-2026-27912)

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-27912 exposes an improper authorization flaw within the Windows Kerberos authentication protocol. This vulnerability allows an attacker who has already gained authorized access to an adjacent network to escalate their privileges. Successful exploitation of this vulnerability could lead to a complete compromise of the affected system. The vulnerability was reported to Microsoft and assigned CVE-2026-27912. Details regarding the specific Kerberos implementation flaws are still emerging, but the impact of successful exploitation is significant, potentially affecting all systems utilizing the flawed Kerberos implementation for authentication and authorization. This vulnerability highlights the importance of maintaining updated systems and promptly applying security patches.

Attack Chain

The attacker gains initial access to an adjacent network, possibly through compromised credentials or other network vulnerabilities.
The attacker leverages valid credentials to authenticate to a Kerberos service within the Windows domain.
The attacker exploits the improper authorization vulnerability (CVE-2026-27912) in the Kerberos implementation.
The attacker requests a service ticket with modified or elevated privileges.
The Kerberos service improperly grants the ticket with elevated privileges due to the authorization flaw.
The attacker uses the forged Kerberos ticket to authenticate to other services or resources within the domain.
The attacker gains unauthorized access to sensitive data or performs administrative actions.
The attacker achieves privilege escalation and potentially compromises the entire domain.

Impact

Successful exploitation of CVE-2026-27912 could allow an attacker to escalate privileges and gain unauthorized access to sensitive information. Given the nature of Kerberos as a central authentication service, this vulnerability has the potential to impact numerous systems within a domain. This could lead to data breaches, system compromise, and ultimately a complete loss of confidentiality, integrity, and availability of critical resources. The vulnerability has a CVSS v3.1 score of 8.0 (High).

Recommendation

Apply the security patch released by Microsoft to address CVE-2026-27912 immediately on all Windows systems (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27912).
Monitor Kerberos authentication logs for suspicious ticket requests or anomalies following patch deployment. (Enable Kerberos auditing on domain controllers)
Deploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for specific Kerberos events.
Implement network segmentation to limit the scope of potential damage from an adjacent network compromise.

Kerberos Authentication Relay via DNS CNAME Abuse (CVE-2026-20929)

hello@craftedsignal.io — Tue, 31 Mar 2026 17:49:30 +0000

CVE-2026-20929, a vulnerability patched in January 2026, allows attackers to perform Kerberos authentication relay attacks by abusing DNS CNAME records. The attack involves manipulating DNS resolution to redirect a client’s Kerberos authentication request to an attacker-controlled server. This server then relays the authentication to Active Directory Certificate Services (AD CS) to enroll certificates on behalf of the victim user. This technique allows the attacker to gain persistent access to the domain. The vulnerability has a CVSS score of 7.5. This attack is a Kerberos-based variant of the ESC8 attack, which traditionally relies on NTLM relay. By exploiting Kerberos, the attack can bypass environments where NTLM has been disabled. The primary target is the AD CS web enrollment endpoint (/certsrv).

Attack Chain

The victim attempts to access a web server (e.g., web01.test.local).
A DNS query is initiated to resolve the hostname of the target web server.
The attacker intercepts the DNS query and responds with a crafted DNS response containing a CNAME record that redirects the original hostname (web01.test.local) to an attacker-controlled target (e.g., CA01.test.local), along with an A record pointing to the attacker’s IP address.
The victim’s system accesses the attacker-controlled web server.
The malicious web server sends a 401 HTTP response to initiate Kerberos authentication.
The victim requests a Kerberos service ticket for HTTP/CA01.test.local from the domain controller.
The domain controller issues a service ticket for the requested SPN.
The attacker relays the Kerberos ticket to the AD CS web enrollment endpoint (/certsrv) to request a certificate for the victim user, thereby achieving persistent access.

Impact

Successful exploitation of CVE-2026-20929 allows an attacker to enroll certificates on behalf of domain users, granting them persistent access to the network. Certificates are often valid for extended periods (1+ years) and are less frequently monitored than password-based authentication. This attack can bypass controls that disable NTLM authentication, and web enrollment over HTTP prevents Channel Binding Token (CBT) protection, making AD CS web enrollment an attractive relay target. The number of potential victims depends on the number of vulnerable AD CS deployments.

Recommendation

Monitor for anomalous certificate-based authentication events combined with unusual AD CS service access within a short time window, as highlighted in the “CrowdStrike has developed a correlation-based detection” statement in the overview.
Disable web enrollment over HTTP to enforce Channel Binding Token (CBT) protection, mitigating the risk of successful relay attacks, as mentioned in the “Why AD CS Web Enrollment Is an Attractive Relay Target” section.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.
Review and harden AD CS configurations based on recommendations from “Certified Pre-Owned” research to reduce the attack surface.

MIT Kerberos Security Bypass Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 10:16:06 +0000

A vulnerability exists within MIT Kerberos that allows an unauthenticated, remote attacker to bypass security mechanisms. The specific nature of the vulnerability is not detailed in this advisory, but the potential impact is significant due to Kerberos’ central role in authentication and authorization. The advisory, published by the German BSI (Bundesamt für Sicherheit in der Informationstechnik), highlights the potential for attackers to gain unauthorized access or escalate privileges within a Kerberos-protected environment. Defenders should investigate available patches and mitigations to prevent exploitation.

Attack Chain

The attacker identifies a vulnerable MIT Kerberos implementation.
The attacker crafts a malicious request to exploit the Kerberos vulnerability, likely targeting a specific service or protocol weakness.
The malicious request bypasses authentication or authorization checks due to the vulnerability.
The attacker gains unauthorized access to a Kerberos-protected resource or service.
Depending on the exploited vulnerability, the attacker may impersonate a legitimate user or service.
The attacker performs unauthorized actions, such as accessing sensitive data or executing commands.
The attacker escalates privileges within the Kerberos realm, potentially compromising the entire authentication infrastructure.

Impact

Successful exploitation of this vulnerability could lead to widespread unauthorized access and privilege escalation within Kerberos-dependent environments. The number of affected organizations is currently unknown, but the potential impact is significant due to the widespread use of Kerberos for authentication in enterprise networks. A successful attack could allow an attacker to compromise critical systems, steal sensitive data, and disrupt essential services.

Recommendation

Monitor Kerberos authentication logs for anomalies indicative of exploitation attempts (see generic rule below).
Investigate and apply any available patches or workarounds released by MIT Kerberos to address the vulnerability.
Review and strengthen Kerberos configuration settings to minimize the attack surface.
Implement network segmentation to limit the impact of a potential Kerberos compromise.

Kerberos Pre-authentication Disabled for User Account

hello@craftedsignal.io — Sun, 28 Jan 2024 12:00:00 +0000

This detection identifies instances where the Kerberos pre-authentication requirement is disabled for a user account within an Active Directory environment. Attackers with GenericWrite or GenericAll permissions over a target account can modify the UserAccountControl attribute to disable pre-authentication. This configuration weakens the account’s security posture, making it vulnerable to AS-REP roasting attacks, where attackers can request Kerberos tickets and crack the password offline. The activity is logged as Event ID 4738 in the Windows Security Event Logs, specifically when the NewUACList includes the USER_DONT_REQUIRE_PREAUTH flag. This poses a significant risk, especially if applied to privileged accounts, as it allows adversaries to potentially compromise credentials and escalate privileges within the domain. The detection is based on research and recommendations from Microsoft regarding Kerberos security best practices.

Attack Chain

Initial Access: An attacker gains unauthorized access to an account with sufficient privileges (e.g., Domain Admin, or an account with delegated permissions) to modify user account attributes in Active Directory.
Privilege Escalation: The attacker leverages their initial access to target a specific user account for which they intend to disable Kerberos pre-authentication.
Account Modification: The attacker modifies the UserAccountControl attribute of the target user account, specifically disabling the “Do not require pre-authentication” setting (setting the USER_DONT_REQUIRE_PREAUTH flag). This is often done using tools like Active Directory Users and Computers or PowerShell cmdlets.
Event Logging: The modification triggers a Windows Security Event Log event (Event ID 4738) on the Domain Controller, indicating that the user account attribute has been changed. The NewUACList field in the event data contains USER_DONT_REQUIRE_PREAUTH.
AS-REQ Request: The attacker crafts an AS-REQ (Authentication Service Request) to the Kerberos Key Distribution Center (KDC) for the targeted user account. Since pre-authentication is disabled, the KDC processes the request without requiring pre-authentication.
AS-REP Response: The KDC issues an AS-REP (Authentication Service Response) to the attacker, containing an encrypted Ticket Granting Ticket (TGT) for the targeted user account.
Offline Cracking: The attacker extracts the encrypted TGT from the AS-REP response and attempts to crack it offline using password cracking tools and techniques, such as hashcat or John the Ripper.
Credential Access: Upon successfully cracking the TGT, the attacker obtains the plaintext password for the targeted user account. This password can then be used for lateral movement, privilege escalation, and further malicious activities within the domain.

Impact

Compromising user accounts through AS-REP roasting can have significant consequences. Attackers can gain unauthorized access to sensitive resources, escalate privileges, and move laterally within the network. Successful AS-REP roasting leads to credential compromise, which could result in data breaches, system compromise, and disruption of services. Organizations failing to monitor and prevent Kerberos pre-authentication disabling are at an increased risk of credential theft and subsequent exploitation, potentially affecting all systems within the compromised domain.

Recommendation

Enable “Audit User Account Management” and ensure Windows Security Event Logs (specifically Event ID 4738) are being collected and forwarded to your SIEM for analysis as described in the setup instructions linked in the rule source.
Deploy the provided Sigma rule to detect Event ID 4738 events where the NewUACList contains USER_DONT_REQUIRE_PREAUTH within your environment to identify potential AS-REP roasting vulnerabilities.
Investigate any instances of disabled pre-authentication, especially on privileged accounts, following the triage steps outlined in the rule documentation.
Enforce the principle of least privilege by reviewing and restricting the privileges assigned to users and groups to prevent unauthorized modification of Active Directory user account attributes.
Monitor for suspicious Kerberos authentication patterns and investigate any anomalies that might indicate AS-REP roasting attempts.

PowerShell Kerberos Ticket Dumping via LSA Authentication Package Access

hello@craftedsignal.io — Fri, 26 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting PowerShell scripts designed to extract Kerberos tickets from memory. Attackers use these scripts to gain unauthorized access to credentials, which can then be leveraged for lateral movement within a network. The scripts achieve this by interacting with the Local Security Authority (LSA) and accessing Kerberos authentication packages. The observed PowerShell scripts utilize specific Kerberos ticket message types or dynamic Kerberos package lookup to enumerate and retrieve tickets. This behavior is often associated with post-exploitation activity, where attackers are attempting to escalate privileges or move laterally within a compromised environment. Defenders should monitor PowerShell activity for these patterns, as successful Kerberos ticket dumping can lead to significant security breaches. The scripts are not associated with any specific campaign or version.

Attack Chain

An attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
The attacker executes a PowerShell script.
The PowerShell script uses LsaCallAuthenticationPackage to interact with the LSA.
The script attempts to retrieve Kerberos tickets by using functions like KerbRetrieveEncodedTicketMessage, KerbQueryTicketCacheMessage, KerbQueryTicketCacheExMessage, or KerbRetrieveTicketMessage.
Alternatively, the script uses LsaLookupAuthenticationPackage to dynamically locate the Kerberos package.
The script may then decrypt the ticket data using KerbDecryptDataMessage.
The script may attempt to serialize or export the extracted tickets to a file.
The attacker uses the dumped Kerberos tickets to impersonate users or services, gaining unauthorized access to resources and facilitating lateral movement.

Impact

Successful exploitation allows attackers to steal Kerberos tickets from memory. The attacker can then use these tickets to impersonate legitimate users or services, enabling them to move laterally within the network, access sensitive data, and potentially compromise critical systems. The impact includes unauthorized access to resources, data breaches, and potentially a complete compromise of the targeted Windows domain.

Recommendation

Enable PowerShell Script Block Logging to capture the malicious script content (as mentioned in the “Setup” section).
Deploy the Sigma rule “PowerShell Kerberos Ticket Dump” to detect scripts exhibiting Kerberos ticket dumping behavior.
Investigate any alerts triggered by the Sigma rule, focusing on the reconstructed script block content and process lineage as outlined in the “Triage and analysis” section.
Monitor for file creation events related to ticket material exports (e.g., “.kirbi” files) to identify potential ticket dumping activity.
Review authentication events (event codes 4624, 4625, 4648) to identify suspicious logins originating from compromised systems.

Potential Kerberos Coercion via DNS-Based SPN Spoofing

hello@craftedsignal.io — Fri, 26 Jan 2024 12:00:00 +0000

This detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.

Attack Chain

The adversary gains initial access to a system with privileges to modify DNS records in Active Directory.
The attacker creates a new MicrosoftDNS record or modifies an existing one.
Within the DNS record, specifically in the AdditionalInfo or ObjectDN attributes, the attacker inserts a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.
The attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record’s name and associated IP address.
The attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.
The attacker intercepts the Kerberos authentication request.
The attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.
The attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.

Impact

Successful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.

Recommendation

Enable “Audit Directory Service Access” and “Audit Directory Service Changes” Windows audit policies to ensure relevant events are logged (Setup section).
Deploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.
Investigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).
Restrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).
Monitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).

Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies potential Kerberos relay attacks targeting Windows systems. The attack involves coercing a target server to authenticate to an attacker-controlled system, which then relays the authentication to another service. The initial coercion leverages commonly abused named pipes like Spoolss, netdfs, and lsarpc. By capturing and relaying the Kerberos authentication, attackers can impersonate the target server and potentially execute code with elevated privileges. This activity is often associated with lateral movement and privilege escalation within a Windows domain. The detection focuses on the sequence of events, specifically a file access event (5145) against a named pipe, followed by a Kerberos authentication event (4624/4625) originating from a different IP address. Defenders should be aware that successful exploitation may lead to full domain compromise.

Attack Chain

Attacker compromises a machine within the target network.
Attacker initiates a coerced authentication attempt against a target server, triggering a file access event (Event ID 5145) on the target. This leverages a named pipe such as Spoolss, netdfs, lsarpc, lsass, netlogon, samr, efsrpc, FssagentRpc, eventlog, winreg, srvsvc, dnsserver, dhcpserver or WinsPipe.
The target server attempts to authenticate to the attacker-controlled machine.
The attacker relays the Kerberos authentication attempt to a service on another server, impersonating the target server.
A Kerberos authentication event (Event ID 4624 or 4625) is generated, indicating a network logon attempt using Kerberos. The account used ends with ‘$’, signifying a computer account.
The source IP address of the authentication event is different from the target server’s IP address, indicating the authentication attempt originated from a different host.
If successful (Event ID 4624), the attacker gains unauthorized access to the service on the second server, impersonating the target server’s computer account.
The attacker executes commands or performs actions on the compromised service, potentially leading to data exfiltration, system compromise, or further lateral movement.

Impact

A successful Kerberos relay attack can lead to a full compromise of the targeted server, potentially allowing the attacker to execute arbitrary code with SYSTEM privileges. This can result in data exfiltration, service disruption, and further lateral movement within the network. The scope of the impact depends on the privileges of the compromised computer account and the services accessible to it. Organizations that do not properly patch CVE-2025-33073 or implement SMB signing/sealing/channel binding are at higher risk.

Recommendation

Deploy the Sigma rule “Potential Kerberos Relay Attack against a Computer Account” to your SIEM to detect this activity and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the sequence of events and the source IP address involved.
Patch CVE-2025-33073 on all affected Windows servers to prevent reflective Kerberos relay attacks.
Enable SMB signing or service-specific signing/sealing/channel binding on affected service tiers to mitigate relay attacks.
Monitor Windows Security Event Logs for Event ID 5145 (file access) and Event IDs 4624/4625 (authentication attempts) for suspicious activity.
Restrict coercion-prone RPC and named-pipe exposure to limit the attack surface.

Detects Kirbi File Creation

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The creation of .kirbi files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as .kirbi files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.

Attack Chain

An attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.
The attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.
The tool extracts Kerberos tickets from memory.
The extracted tickets are saved to a .kirbi file on the filesystem. This file is often created in a temporary or easily accessible location.
The attacker may rename or move the .kirbi file to evade detection or prepare it for later use.
The attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).
The attacker gains unauthorized access to sensitive resources or data.

Impact

A successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.

Recommendation

Deploy the Sigma rule Kirbi File Creation to your SIEM to detect the creation of .kirbi files.
Enable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the Kirbi File Creation rule to function effectively.
Investigate any alerts generated by the Kirbi File Creation rule, focusing on the process that created the file, the location of the file, and any follow-on activity.
Consider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.