?wid=2048&hei=1350&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1?wid=530&hei=349&fmt=png-alpha&qlt=95,0&resMode=sharp2&op_usm=3.0,0.3,2,0)
CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse. This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research.
CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window.
Related Research and Context
CVE-2026-20929 represents a sophisticated attack vector that exploits the interaction between DNS CNAME records and Kerberos Service Principal Name (SPN) resolution. While this vulnerability can be exploited against various services, this blog focuses on one particularly dangerous attack vector: relaying Kerberos authentication to AD CS servers to enroll certificates for user accounts, providing persistent access that can last months or years.
Understanding CVE-2026-20929 requires context from prior Kerberos relay research:
Kerberos Relay Fundamentals: In 2021, a security researcher demonstrated that Kerberos authentication can be relayed if an attacker can control the SPN used by a client. This research explored multiple techniques for influencing SPN selection across various protocols, challenging the assumption that Kerberos was inherently relay-proof.
DNS-Based Kerberos Relay: In 2022, a security researcher demonstrated practical Kerberos relay techniques using mitm6 to relay DNS authentication to AD CS endpoints. His work showed how DHCPv6 spoofing combined with DNS manipulation could enable Kerberos relay attacks and resulted in the krbrelayx tool.
AD CS Attack Vectors: The SpecterOps research team's "Certified Pre-Owned" work documented AD CS exploitation techniques, including ESC8 (relay to AD CS HTTP endpoints), establishing the foundation for understanding certificate-based attacks in Active Directory.
Understanding ESC8: NTLM Relay to AD CS HTTP Endpoints
Before diving into the Kerberos variant, it's important to understand the foundational attack: ESC8, documented in the SpecterOps "Certified Pre-Owned" research.
ESC8 Attack Overview
AD CS provides a web-based enrollment interface (accessible via the /certsrv endpoint) that allows users and computers to request certificates through a browser. This "Certification Authority Web Enrollment" component accepts both NTLM and Kerberos authentication. The ESC8 attack exploits this interface through NTLM relay:
- The attacker coerces a victim (often a machine account or privileged user) to authenticate to an attacker-controlled server
- The attacker relays the NTLM authentication to the AD CS web enrollment endpoint (/certsrv)
- AD CS accepts the relayed authentication and issues a certificate in the victim's name
- The attacker uses the certificate for persistent authentication as the victim
CVE-2026-20929 (Kerberos-Based ESC8)
- Uses Kerberos relay instead of NTLM
- Exploits CNAME-based SPN manipulation to control which service ticket the client requests
- Enables relay even in environments that have disabled NTLM
- Targets the same AD CS web enrollment endpoint (/certsrv)
How Channel Binding Token (CBT) Protection Works
- A channel binding token is derived from the server's TLS certificate
- This token is cryptographically bound to the authentication
- The server verifies the authentication came through its specific TLS channel
- If an attacker relays authentication to a different server (with a different certificate), the channel binding won't match and authentication fails
Why AD CS Web Enrollment Is an Attractive Relay Target
AD CS web enrollment represents a particularly attractive target for Kerberos relay attacks for several reasons:
- Many organizations still deploy web enrollment over HTTP for internal use; this prevents CBT protection
- Certificates provide persistent authentication (typically valid for 1+ years)
- Certificates are often less monitored than password-based authentication
Vulnerability Technical Analysis
CVE-2026-20929 exploits how Kerberos handles Service Principal Names during the DNS resolution process that precedes authentication.
DNS Manipulation Mechanism
Before a client can authenticate to a service, it must resolve the service hostname to an IP address via DNS. Attackers can manipulate this resolution step by crafting DNS responses that contain both:
- A CNAME record redirecting the requested hostname to a different target
- An A record in the same response providing the IP address for that target
Attack Flow
- The victim tries to access a web server (web01.test.local)
- A DNS query is sent to resolve web01.test.local
- The attacker intercepts the request and responds with the CNAME CA01.test.local and the A record that points to the attacker-controlled IP address
- The victim accesses the attacker-controlled web server
- The malicious web server replies with a 401 and requests Kerberos authentication
- The victim requests a Service ticket for HTTP/CA1.test.local from the DC
- The DC responds with the Service ticket
- The victim sends the HTTP/CA1.test.local service ticket to the malicious server
- The attacker uses the TGS to authenticate the AD CS server and enroll a certificate for the victim
