Tag

Relay

3 briefs RSS

Service Creation via Local Kerberos Authentication Leading to Privilege Escalation

The rule detects a local successful logon event with Kerberos authentication from localhost, followed by service creation from the same LogonId, indicating a potential Kerberos relay attack for local privilege escalation to LocalSystem.

kerberos relay privilege-escalation windows service-creation

3r 1t May 12, 2026

critical advisory

Kerberos Authentication Relay via DNS CNAME Abuse (CVE-2026-20929)

2 rules 1 TTP 1 CVE

An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.

kerberos relay adcs cve-2026-20929 credential-access

2r 1t 1c Mar 31, 2026

high advisory

Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account

3 rules 1 TTP 1 CVE

Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.

kerberos relay credential_access windows

3r 1t 1c Jan 3, 2024