https://feed.craftedsignal.io/tags/relay/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 31 Mar 2026 17:49:30 +0000https://feed.craftedsignal.io/briefs/2026-04-kerberos-relay-cname/Tue, 31 Mar 2026 17:49:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-kerberos-relay-cname/An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.CVE-2026-20929, a vulnerability patched in January 2026, allows attackers to perform Kerberos authentication relay attacks by abusing DNS CNAME records. The attack involves manipulating DNS resolution to redirect a client’s Kerberos authentication request to an attacker-controlled server. This server then relays the authentication to Active Directory Certificate Services (AD CS) to enroll certificates on behalf of the victim user. This technique allows the attacker to gain persistent access to the domain. The vulnerability has a CVSS score of 7.5. This attack is a Kerberos-based variant of the ESC8 attack, which traditionally relies on NTLM relay. By exploiting Kerberos, the attack can bypass environments where NTLM has been disabled. The primary target is the AD CS web enrollment endpoint (/certsrv).

Attack Chain

1. The victim attempts to access a web server (e.g., web01.test.local).
2. A DNS query is initiated to resolve the hostname of the target web server.
3. The attacker intercepts the DNS query and responds with a crafted DNS response containing a CNAME record that redirects the original hostname (web01.test.local) to an attacker-controlled target (e.g., CA01.test.local), along with an A record pointing to the attacker’s IP address.
4. The victim’s system accesses the attacker-controlled web server.
5. The malicious web server sends a 401 HTTP response to initiate Kerberos authentication.
6. The victim requests a Kerberos service ticket for HTTP/CA01.test.local from the domain controller.
7. The domain controller issues a service ticket for the requested SPN.
8. The attacker relays the Kerberos ticket to the AD CS web enrollment endpoint (/certsrv) to request a certificate for the victim user, thereby achieving persistent access.

Impact

Successful exploitation of CVE-2026-20929 allows an attacker to enroll certificates on behalf of domain users, granting them persistent access to the network. Certificates are often valid for extended periods (1+ years) and are less frequently monitored than password-based authentication. This attack can bypass controls that disable NTLM authentication, and web enrollment over HTTP prevents Channel Binding Token (CBT) protection, making AD CS web enrollment an attractive relay target. The number of potential victims depends on the number of vulnerable AD CS deployments.

Recommendation

• Monitor for anomalous certificate-based authentication events combined with unusual AD CS service access within a short time window, as highlighted in the “CrowdStrike has developed a correlation-based detection” statement in the overview.
• Disable web enrollment over HTTP to enforce Channel Binding Token (CBT) protection, mitigating the risk of successful relay attacks, as mentioned in the “Why AD CS Web Enrollment Is an Attractive Relay Target” section.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.
• Review and harden AD CS configurations based on recommendations from “Certified Pre-Owned” research to reduce the attack surface.

]]>criticaladvisorykerberosrelayadcscve-2026-20929credential-accesshttps://feed.craftedsignal.io/briefs/2024-01-kerberos-relay-via-coerced-auth/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kerberos-relay-via-coerced-auth/Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.This detection identifies potential Kerberos relay attacks targeting Windows systems. The attack involves coercing a target server to authenticate to an attacker-controlled system, which then relays the authentication to another service. The initial coercion leverages commonly abused named pipes like Spoolss, netdfs, and lsarpc. By capturing and relaying the Kerberos authentication, attackers can impersonate the target server and potentially execute code with elevated privileges. This activity is often associated with lateral movement and privilege escalation within a Windows domain. The detection focuses on the sequence of events, specifically a file access event (5145) against a named pipe, followed by a Kerberos authentication event (4624/4625) originating from a different IP address. Defenders should be aware that successful exploitation may lead to full domain compromise.

Attack Chain

1. Attacker compromises a machine within the target network.
2. Attacker initiates a coerced authentication attempt against a target server, triggering a file access event (Event ID 5145) on the target. This leverages a named pipe such as Spoolss, netdfs, lsarpc, lsass, netlogon, samr, efsrpc, FssagentRpc, eventlog, winreg, srvsvc, dnsserver, dhcpserver or WinsPipe.
3. The target server attempts to authenticate to the attacker-controlled machine.
4. The attacker relays the Kerberos authentication attempt to a service on another server, impersonating the target server.
5. A Kerberos authentication event (Event ID 4624 or 4625) is generated, indicating a network logon attempt using Kerberos. The account used ends with ‘$’, signifying a computer account.
6. The source IP address of the authentication event is different from the target server’s IP address, indicating the authentication attempt originated from a different host.
7. If successful (Event ID 4624), the attacker gains unauthorized access to the service on the second server, impersonating the target server’s computer account.
8. The attacker executes commands or performs actions on the compromised service, potentially leading to data exfiltration, system compromise, or further lateral movement.

Impact

A successful Kerberos relay attack can lead to a full compromise of the targeted server, potentially allowing the attacker to execute arbitrary code with SYSTEM privileges. This can result in data exfiltration, service disruption, and further lateral movement within the network. The scope of the impact depends on the privileges of the compromised computer account and the services accessible to it. Organizations that do not properly patch CVE-2025-33073 or implement SMB signing/sealing/channel binding are at higher risk.

Recommendation

• Deploy the Sigma rule “Potential Kerberos Relay Attack against a Computer Account” to your SIEM to detect this activity and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the sequence of events and the source IP address involved.
• Patch CVE-2025-33073 on all affected Windows servers to prevent reflective Kerberos relay attacks.
• Enable SMB signing or service-specific signing/sealing/channel binding on affected service tiers to mitigate relay attacks.
• Monitor Windows Security Event Logs for Event ID 5145 (file access) and Event IDs 4624/4625 (authentication attempts) for suspicious activity.
• Restrict coercion-prone RPC and named-pipe exposure to limit the attack surface.

]]>highadvisorykerberosrelaycredential_accesswindows