{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/relay/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20929"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["kerberos","relay","adcs","cve-2026-20929","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20929, a vulnerability patched in January 2026, allows attackers to perform Kerberos authentication relay attacks by abusing DNS CNAME records. The attack involves manipulating DNS resolution to redirect a client\u0026rsquo;s Kerberos authentication request to an attacker-controlled server. This server then relays the authentication to Active Directory Certificate Services (AD CS) to enroll certificates on behalf of the victim user. This technique allows the attacker to gain persistent access to the domain. The vulnerability has a CVSS score of 7.5. This attack is a Kerberos-based variant of the ESC8 attack, which traditionally relies on NTLM relay. By exploiting Kerberos, the attack can bypass environments where NTLM has been disabled. The primary target is the AD CS web enrollment endpoint (/certsrv).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim attempts to access a web server (e.g., web01.test.local).\u003c/li\u003e\n\u003cli\u003eA DNS query is initiated to resolve the hostname of the target web server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the DNS query and responds with a crafted DNS response containing a CNAME record that redirects the original hostname (web01.test.local) to an attacker-controlled target (e.g., CA01.test.local), along with an A record pointing to the attacker\u0026rsquo;s IP address.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s system accesses the attacker-controlled web server.\u003c/li\u003e\n\u003cli\u003eThe malicious web server sends a 401 HTTP response to initiate Kerberos authentication.\u003c/li\u003e\n\u003cli\u003eThe victim requests a Kerberos service ticket for HTTP/CA01.test.local from the domain controller.\u003c/li\u003e\n\u003cli\u003eThe domain controller issues a service ticket for the requested SPN.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to the AD CS web enrollment endpoint (/certsrv) to request a certificate for the victim user, thereby achieving persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20929 allows an attacker to enroll certificates on behalf of domain users, granting them persistent access to the network. Certificates are often valid for extended periods (1+ years) and are less frequently monitored than password-based authentication. This attack can bypass controls that disable NTLM authentication, and web enrollment over HTTP prevents Channel Binding Token (CBT) protection, making AD CS web enrollment an attractive relay target. The number of potential victims depends on the number of vulnerable AD CS deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for anomalous certificate-based authentication events combined with unusual AD CS service access within a short time window, as highlighted in the \u0026ldquo;CrowdStrike has developed a correlation-based detection\u0026rdquo; statement in the overview.\u003c/li\u003e\n\u003cli\u003eDisable web enrollment over HTTP to enforce Channel Binding Token (CBT) protection, mitigating the risk of successful relay attacks, as mentioned in the \u0026ldquo;Why AD CS Web Enrollment Is an Attractive Relay Target\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden AD CS configurations based on recommendations from \u0026ldquo;Certified Pre-Owned\u0026rdquo; research to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T17:49:30Z","date_published":"2026-03-31T17:49:30Z","id":"/briefs/2026-04-kerberos-relay-cname/","summary":"An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.","title":"Kerberos Authentication Relay via DNS CNAME Abuse (CVE-2026-20929)","url":"https://feed.craftedsignal.io/briefs/2026-04-kerberos-relay-cname/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-33073"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kerberos","relay","credential_access","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos relay attacks targeting Windows systems. The attack involves coercing a target server to authenticate to an attacker-controlled system, which then relays the authentication to another service. The initial coercion leverages commonly abused named pipes like Spoolss, netdfs, and lsarpc. By capturing and relaying the Kerberos authentication, attackers can impersonate the target server and potentially execute code with elevated privileges. This activity is often associated with lateral movement and privilege escalation within a Windows domain. The detection focuses on the sequence of events, specifically a file access event (5145) against a named pipe, followed by a Kerberos authentication event (4624/4625) originating from a different IP address. Defenders should be aware that successful exploitation may lead to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a machine within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a coerced authentication attempt against a target server, triggering a file access event (Event ID 5145) on the target. This leverages a named pipe such as Spoolss, netdfs, lsarpc, lsass, netlogon, samr, efsrpc, FssagentRpc, eventlog, winreg, srvsvc, dnsserver, dhcpserver or WinsPipe.\u003c/li\u003e\n\u003cli\u003eThe target server attempts to authenticate to the attacker-controlled machine.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos authentication attempt to a service on another server, impersonating the target server.\u003c/li\u003e\n\u003cli\u003eA Kerberos authentication event (Event ID 4624 or 4625) is generated, indicating a network logon attempt using Kerberos. The account used ends with \u0026lsquo;$\u0026rsquo;, signifying a computer account.\u003c/li\u003e\n\u003cli\u003eThe source IP address of the authentication event is different from the target server\u0026rsquo;s IP address, indicating the authentication attempt originated from a different host.\u003c/li\u003e\n\u003cli\u003eIf successful (Event ID 4624), the attacker gains unauthorized access to the service on the second server, impersonating the target server\u0026rsquo;s computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands or performs actions on the compromised service, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos relay attack can lead to a full compromise of the targeted server, potentially allowing the attacker to execute arbitrary code with SYSTEM privileges. This can result in data exfiltration, service disruption, and further lateral movement within the network. The scope of the impact depends on the privileges of the compromised computer account and the services accessible to it. Organizations that do not properly patch CVE-2025-33073 or implement SMB signing/sealing/channel binding are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Kerberos Relay Attack against a Computer Account\u0026rdquo; to your SIEM to detect this activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the sequence of events and the source IP address involved.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2025-33073 on all affected Windows servers to prevent reflective Kerberos relay attacks.\u003c/li\u003e\n\u003cli\u003eEnable SMB signing or service-specific signing/sealing/channel binding on affected service tiers to mitigate relay attacks.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for Event ID 5145 (file access) and Event IDs 4624/4625 (authentication attempts) for suspicious activity.\u003c/li\u003e\n\u003cli\u003eRestrict coercion-prone RPC and named-pipe exposure to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kerberos-relay-via-coerced-auth/","summary":"Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.","title":"Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-relay-via-coerced-auth/"}],"language":"en","title":"CraftedSignal Threat Feed — Relay","version":"https://jsonfeed.org/version/1.1"}