Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse

BLOG Featured Recent Video Category Start Free Trial Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse March 31, 2026 | Yan Linkov | Next-Gen Identity Security• Next-Gen SIEM & Log Management CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research.  CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window. Related Research and Context CVE-2026-20929 represents a sophisticated attack vector that exploits the interaction between DNS CNAME records and Kerberos Service Principal Name (SPN) resolution. While this vulnerability can be exploited against various services, this blog focuses on one particularly dangerous attack vector: relaying Kerberos authentication to AD CS servers to enroll certificates for user accounts, providing persistent access that can last months or years. Understanding CVE-2026-20929 requires context from prior Kerberos relay research: Kerberos Relay Fundamentals: In 2021, a security researcher demonstrated that Kerberos authentication can be relayed if an attacker can control the SPN used by a client. This research explored multiple techniques for influencing SPN selection across various protocols, challenging the assumption that Kerberos was inherently relay-proof. DNS-Based Kerberos Relay: In 2022, a security researcher demonstrated practical Kerberos relay techniques using mitm6 to relay DNS authentication to AD CS endpoints. His work showed how DHCPv6 spoofing combined with DNS manipulation could enable Kerberos relay attacks and resulted in the krbrelayx tool. AD CS Attack Vectors: The SpecterOps research team's "Certified Pre-Owned" work documented AD CS exploitation techniques, including ESC8 (relay to AD CS HTTP endpoints), establishing the foundation for understanding certificate-based attacks in Active Directory. Understanding ESC8: NTLM Relay to AD CS HTTP Endpoints Before diving into the Kerberos variant, it's important to understand the foundational attack: ESC8, documented in the SpecterOps "Certified Pre-Owned" research. ESC8 Attack Overview AD CS provides a web-based enrollment interface (accessible via the /certsrv endpoint) that allows users and computers to request certificates through a browser. This "Certification Authority Web Enrollment" component accepts both NTLM and Kerberos authentication. The ESC8 attack exploits this interface through NTLM relay: The attacker coerces a victim (often a machine account or privileged user) to authenticate to an attacker-controlled server The attacker relays the NTLM authentication to the AD CS web enrollment endpoint (/certsrv) AD CS accepts the relayed authentication and issues a certificate in the victim's name The attacker uses the certificate for persistent authentication as the victim CVE-2026-20929 (Kerberos-Based ESC8) Uses Kerberos relay instead of NTLM Exploits CNAME-based SPN manipulation to control which service ticket the client requests Enables relay even in environments that have disabled NTLM Targets the same AD CS web enrollment endpoint (/certsrv) How Channel Binding Token (CBT) Protection Works A channel binding token is derived from the server's TLS certificate This token is cryptographically bound to the authentication The server verifies the authentication came through its specific TLS channel If an attacker relays authentication to a different server (with a different certificate), the channel binding won't match and authentication fails Why AD CS Web Enrollment Is an Attractive Relay Target AD CS web enrollment represents a particularly attractive target for Kerberos relay attacks for several reasons: Many organizations still deploy web enrollment over HTTP for internal use; this prevents CBT protection Certificates provide persistent authentication (typically valid for 1+ years) Certificates are often less monitored than password-based authentication Vulnerability Technical Analysis CVE-2026-20929 exploits how Kerberos handles Service Principal Names during the DNS resolution process that precedes authentication. DNS Manipulation Mechanism Before a client can authenticate to a service, it must resolve the service hostname to an IP address via DNS. Attackers can manipulate this resolution step by crafting DNS responses that contain both: A CNAME record redirecting the requested hostname to a different target An A record in the same response providing the IP address for that target Attack Flow The victim tries to access a web server (web01.test.local) A DNS query is sent to resolve web01.test.local The attacker intercepts the request and responds with the CNAME CA01.test.local and the A record that points to the attacker-controlled IP address The victim accesses the attacker-controlled web server The malicious web server replies with a 401 and requests Kerberos authentication The victim requests a Service ticket for HTTP/CA1.test.local from the DC The DC responds with the Service ticket The victim sends the HTTP/CA1.test.local service ticket to the malicious server The attacker uses the TGS to authenticate the AD CS server and enroll a certificate for the victim Figure 1. Flow of the CVE-2026-20929 vulnerability Impact Details This combined DNS response causes the client to automatically request a Kerberos service ticket for the attacker-specified hostname while connecting to the attacker-controlled IP address. The client is unaware that the SPN in its Kerberos ticket doesn't match the actual service it's connecting to. CrowdStrike Detection Approach Detection Strategy Overview CrowdStrike's detection leverages the CrowdStrike Falcon® platform's unique identity protection capabilities, which provide deep visibility into authentication traffic across the enterprise. Unlike traditional security solutions that rely on endpoint or network logs alone, CrowdStrike Falcon® Next-Gen Identity Security performs real-time inspection of authentication protocols including Kerberos, NTLM, and LDAP traffic. Falcon Next-Gen Identity Security provides comprehensive authentication traffic visibility through: Real-time protocol inspection: Deep inspection of Kerberos, NTLM, and LDAP authentication flows as they occur Built-in behavioral detections: Pre-configured detections that identify anomalous authentication patterns, including the two informational detections used in this correlation Raw traffic forwarding to Falcon Next-Gen SIEM (powered by Falcon LogScale): All authentication traffic is sent to Falcon Next-Gen SIEM, enabling security teams to create custom hunting queries and detection logic tailored to their environment This multi-layered approach enables both automated detection through correlation logic and proactive threat hunting through raw authentication data analysis. This detection uses behavioral correlation to identify the complete attack chain rather than relying on individual indicators. This approach provides high-confidence detection while minimizing false positives by focusing on the temporal relationship between authentication relay and certificate usage. Individual Detection Components Detection 1: Anomalous Certificate-Based Authentication This detection identifies unusual patterns in certificate authentication like:  A user authenticates with a certificate from an endpoint or IP address they haven't used for certificate authentication before. Figure 2. Detection fired for “Anomalous certificate-based authentication” Detection 2: Unusual Service Access to an Endpoint  This detection monitors for abnormal service access patterns like: A user unexpectedly requests a Kerberos service ticket to a target. Figure 3. Detection fired for “Unusual service access to an endpoint” Correlation Logic The alert triggers when both detections occur within a close time and target an AD CS service: Alert conditions: Anomalous certificate-based authentication detected Unusual service access to AD CS endpoint detected Both events involve the same user account Events occur within a short time window To implement this detection capability, customers must manually enable the CRT through the Falcon Next-Gen SIEM platform by navigating to NGS → Monitor and investigate → Rules → Templates and searching for the relevant CRT: “CrowdStrike - Identity - Abnormal Certificate Authentication (CVE-2026-20929).” Mitigation and Protection Strategies The Falcon platform provides comprehensive protection capabilities that directly address these mitigation strategies. CrowdStrike Falcon® Exposure Management delivers critical visibility for patch management initiatives, enabling organizations to rapidly identify vulnerable systems and prioritize remediation efforts based on actual risk exposure. This capability is essential for implementing the first mitigation strategy effectively, allowing critical patches like the CVE-2026-20929 fix to be deployed systematically across the enterprise. Falcon Next-Gen Identity Security provides insights into Active Directory environment configurations, surfacing critical security risks that could enable Kerberos relay attacks. It continuously monitors and assesses AD security posture. Beyond configuration assessment, Falcon Next-Gen Identity Security delivers account activity monitoring, including detailed Kerberos authentication tracking and behavioral analysis.  It provides multiple detections that can identify suspicious authentication patterns and potential relay attack attempts in real time. Conclusion CVE-2026-20929 represents a significant threat to organizations by enabling attackers to relay Kerberos authentication through DNS CNAME abuse. While this vulnerability can be exploited against multiple services, the AD CS relay vector is particularly dangerous as it enables attackers to obtain persistent access through certificate-based authentication, bypassing traditional password-based security controls. Understanding and detecting these attack patterns is crucial to maintaining security integrity in Active Directory environments. The comprehensive Falcon platform provides multiple layers of protection: Real-time alerting when suspicious AD CS access patterns are detected Behavioral correlation detection through advanced analytics that identify the complete attack chain via Falcon Next-Gen SIEM Proactive threat hunting through CrowdStrike Falcon® Adversary OverWatch™ Additional Resources Be part of Fal.Con 2026 and connect with 10,000+ cybersecurity professionals shaping the future of the industry. Learn more about Falcon Next-Gen Identity Security and Falcon Next-Gen SIEM. Tweet Share CrowdStrike 2026 Global Threat Report AI threats have reached a critical turning point. Access the definitive look at the cyber threat landscape. Download report Related Content CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication CrowdStrike to Acquire Seraphic to Secure Work in Any Browser CATEGORIES Agentic SOC 50 Cloud & Application Security 140 Data Protection 22 Endpoint Security & XDR 351 Engineering & Tech 86 Executive Viewpoint 177 Exposure Management 116 From The Front Lines 202 Next-Gen Identity Security 68 Next-Gen SIEM & Log Management 113 Public Sector 42 Securing AI 27 Threat Hunting & Intel 211 CONNECT WITH US FEATURED ARTICLES October 01, 2024 CrowdStrike Named a Leader in 2024 Gartner® Magic Quadrant™ for Endpoint Protection Platforms September 25, 2024 Recognizing the Resilience of the CrowdStrike Community September 25, 2024 CrowdStrike Drives Cybersecurity Forward with New Innovations Spanning AI, Cloud, Next-Gen SIEM and Identity Protection September 18, 2024 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security Copyright © 2026 CrowdStrike Privacy Request Info Blog Contact Us 1.888.512.8906 Accessibility Privacy Preference Center Privacy Preference Center Your Privacy Strictly Necessary Cookies Performance Cookies Functional Cookies Targeting Cookies Your Privacy When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They may be set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies may process limited personal information, such as technical or device identifiers, where necessary to ensure the security, functionality, and integrity of the website or web portal. Such processing is strictly limited to what is required for these purposes and is not used for advertising or marketing. Cookies Details Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore does not identify you. If you do not allow these cookies, your visit to our website will not be included in our analytics, and our ability to monitor website performance and make improvements will be reduced. Cookies Details Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Cookies Details Targeting Cookies Targeting Cookies These cookies may be set on our site by our advertising partners. They assign a unique identifier to your browser or device and may track your activity across sites to build a profile of your interests and show you relevant adverts on other sites. If you do not allow these cookies, you will still see ads, but they may be less relevant to you. Cookies Details Cookie List Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All