Detecting CVE-2026-20929: Kerberos Relay Attack via DNS CNAME Abuse BLOG Featured Now Live: The CrowdStrike 2026 Financial Services Threat Landscape Report May 14, 2026 Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications May 13, 2026 May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs May 12, 2026 Inside CrowdStrike Automated Leads: A Transformative Approach to Threat Detections May 11, 2026 Recent Video Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO] Feb 21, 2019 Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO] Jan 22, 2019 Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO] Aug 20, 2018 Category Agentic SOC How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem 03/25/26 CrowdStrike Services and Agentic MDR Put the Agentic SOC in Reach 03/24/26 4 Ways Businesses Use CrowdStrike Charlotte AI to Transform Security Operations 03/12/26 Inside the Human-AI Feedback Loop Powering CrowdStrike’s Agentic Security 02/10/26 Cloud & Application Security 05/13/26 CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms 04/27/26 CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud 04/22/26 CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection Threat Hunting & Intel 05/14/26 CrowdStrike Named a Leader in the First-Ever Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies 05/06/26 CrowdStrike Launches Falcon OverWatch for Defender 05/05/26 Tune In: The Future of AI-Powered Vulnerability Discovery 05/01/26 Endpoint Security & XDR 05/11/26 CrowdStrike Falcon Platform Achieves 441% ROI in Three Years 04/21/26 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management 04/01/26 Enhanced Network Visibility: A Dive into the Falcon macOS Sensor's New Capabilities 03/11/26 Engineering & Tech EMBER2024: Advancing the Training of Cybersecurity ML Models Against Evasive Malware 09/03/25 Falcon Platform Prevents COOKIE SPIDER’s SHAMOS Delivery on macOS 08/20/25 CrowdStrike’s Approach to Better Machine Learning Evaluation Using Strategic Data Splitting 08/11/25 CrowdStrike Researchers Develop Custom XGBoost Objective to Improve ML Model Release Stability 03/20/25 Executive Viewpoint Frontier AI Is Collapsing the Exploit Window.
Here’s How Defenders Must Respond. 04/20/26 Frontier AI for Defenders: CrowdStrike and OpenAI TAC 04/16/26 Anthropic Claude Mythos Preview: The More Capable AI Becomes, the More Security It Needs 04/06/26 The Architecture of Agentic Defense: Inside the Falcon Platform 01/16/26 From The Front Lines CrowdStrike Technical Risk Assessments Reveal Common Exposure Patterns 05/04/26 Introducing the CrowdStrike Shadow AI Visibility Service CrowdStrike Flex for Services Expands Access to Elite Security Expertise From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise 03/20/26 Next-Gen Identity Security Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse 03/31/26 CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security 02/26/26 CrowdStrike Named a Customers’ Choice in 2026 Gartner® Peer Insights™ Voice of the Customer for User Authentication 02/12/26 CrowdStrike to Acquire Seraphic to Secure Work in Any Browser 01/13/26 Next-Gen SIEM & Log Management Falcon Next-Gen SIEM Supports Third-Party EDR Tools, Starting with Microsoft Defender 03/23/26 Falcon Next-Gen SIEM Simplifies Onboarding with Sensor-Native Log Collection 03/06/26 Exposing Insider Threats through Data Protection, Identity, and HR Context 02/18/26 How to Scale SOC Automation with Falcon Fusion SOAR 02/11/26 Public Sector CrowdStrike Innovates to Modernize National Security and Protect Critical Systems 03/18/26 Falcon Platform for Government Now Offers Falcon for XIoT to Secure Connected Assets CrowdStrike Achieves FedRAMP® High Authorization 03/19/25 NHS Matures Healthcare Cybersecurity with NCSC’s CAF Assurance Model 03/13/25 Exposure Management 05/12/26 April 2026 Patch Tuesday: Two Zero-Days and Eight Critical Vulnerabilities Among 164 CVEs 04/14/26 How CrowdStrike Is Accelerating Exposure Evaluation as Adversaries Gain Speed 04/05/26 March 2026 Patch Tuesday: Eight Critical Vulnerabilities and Two Publicly Disclosed Among 82 CVEs Patched 03/10/26 Securing AI CrowdStrike Expands ChatGPT Enterprise Integration with Enhanced Audit Logging and Activity Monitoring 04/28/26 New CrowdStrike Innovations Secure AI Agents and Govern Shadow AI Across Endpoints, SaaS, and Cloud Secure Homegrown AI Agents with CrowdStrike Falcon AIDR and NVIDIA NeMo Guardrails 03/19/26 Introducing "AI Unlocked: Decoding Prompt Injection," a New Interactive Challenge Data Security Falcon Data Security Secures Data Wherever It Lives and Moves Falcon Data Protection for Cloud Extends DSPM into Runtime 11/20/25 CrowdStrike Stops GenAI Data Leaks with Unified Data Protection 09/18/25 Q&A: How Mastronardi Produce Secures Innovation with CrowdStrike 02/14/25 Start Free Trial March 31, 2026 Yan Linkov Next-Gen Identity Security • CVE-2026-20929, a vulnerability with a CVSS of 7.5 that was patched in the January 2026 Patch Tuesday update, enables attackers to exploit Kerberos authentication relay through DNS CNAME record abuse.
This blog focuses on detecting one particularly impactful attack vector: relaying authentication to Active Directory Certificate Services (AD CS) to enroll certificates for user accounts, as detailed in recent research . CrowdStrike has developed a correlation-based detection that identifies this specific attack pattern by monitoring for anomalous certificate-based authentication combined with unusual AD CS service access within a short time window.
Related Research and Context CVE-2026-20929 represents a sophisticated attack vector that exploits the interaction between DNS CNAME records and Kerberos Service Principal Name (SPN) resolution. While this vulnerability can be exploited against various services, this blog focuses on one particularly dangerous attack vector: relaying Kerberos authentication to AD CS servers to enroll certificates for user accounts, providing persistent access that can last months or years.
Understanding CVE-2026-20929 requires context from prior Kerberos relay research: Kerberos Relay Fundamentals : In 2021, a security researcher demonstrated that Kerberos authentication can be relayed if an attacker can control the SPN used by a client. This research explored multiple techniques for influencing SPN selection across various protocols, challenging the assumption that Kerberos was inherently relay-proof.
DNS-Based Kerberos Relay : In 2022, a security researcher demonstrated practical Kerberos relay techniques using mitm6 to relay DNS authentication to AD CS endpoints. His work showed how DHCPv6 spoofing combined with DNS manipulation could enable Kerberos relay attacks and resulted in the krbrelayx tool. AD CS Attack Vectors : The SpecterOps research team's "Certified Pre-Owned" work documented AD CS exploitation techniques, including ESC8 (relay to AD CS HTTP endpoints), establishing the foundation for understanding certificate-based attacks in Active Directory.
Understanding ESC8: NTLM Relay to AD CS HTTP Endpoints Before diving into the Kerberos variant, it's important to understand the foundational attack: ESC8, documented in the SpecterOps "Certified Pre-Owned" research. ESC8 Attack Overview AD CS provides a web-based enrollment interface (accessible via the /certsrv endpoint) that allows users and computers to request certificates through a browser. This "Certification Authority Web Enrollment" component accepts both NTLM and Kerberos authentication.
The ESC8 attack exploits this interface through NTLM relay: The attacker coerces a victim (often a machine account or privileged user) to authenticate to an attacker-controlled server The attacker relays the NTLM authentication to the AD CS web enrollment endpoint (/certsrv) AD CS accepts the relayed authentication and issues a certificate in the victim's name The attacker uses the certificate for persistent authentication as the victim CVE-2026-20929 (Kerberos-Based ESC8) Uses Kerberos relay instead of NTLM Exploits CNAME-based SPN manipulation to control which service ticket the client requests Enables relay even in environments that have disabled NTLM Targets the same AD CS web enrollment endpoint (/certsrv) How Channel Binding Token (CBT) Protection Works A channel binding token is derived from the server's TLS certificate This token is cryptographically bound to the authentication The server verifies the authentication came through its specific TLS channel If an attacker relays authentication to a different server (with a different certificate), the channel binding won't match and authentication fails Why AD CS Web Enrollment Is an Attractive Relay Target AD CS web enrollment represents a particularly attractive target for Kerberos relay attacks for several reasons: Many organizations still deploy web enrollment over HTTP for internal use; this prevents CBT protection Certificates provide persistent authentication (typically valid for 1+ years) Certificates are often less monitored than password-based authentication Vulnerability Technical Analysis CVE-2026-20929 exploits how Kerberos handles Service Principal Names during the DNS resolution process that precedes authentication.
DNS Manipulation Mechanism Before a client can authenticate to a service, it must resolve the service hostname to an IP address via DNS. Attackers can manipulate this resolution step by crafting DNS responses that contain both: A CNAME record redirecting the requested hostname to a different target An A record in the same response providing the IP address for that target Attack Flow The victim tries to access a web server (web01.test.local) A DNS query is sent to resolve web01.test.local The attacker intercepts the request and responds with the CNAME CA01.test.local and the A record that points to the attacker-controlled IP address The victim accesses the attacker-controlled web server The malicious web server replies with a 401 and requests Kerberos authentication The victim requests a Service ticket for HTTP/CA1.test.local from the DC The DC responds with the Service ticket The victim sends the HTTP/CA1.test.local service ticket to the malicious server The attacker uses the TGS to authenticate the AD CS server and enroll a certificate for the victim Figure 1.
Flow of the CVE-2026-20929 vulnerability Impact Details This combined DNS response causes the client to automatically request a Kerberos service ticket for the attacker-specified hostname while connecting to the attacker-controlled IP address. The client is unaware that the SPN in its Kerberos ticket doesn't match the actual service it's connecting to. CrowdStrike Detection Approach Detection Strategy Overview CrowdStrike's detection leverages the CrowdStrike Falcon® platform's unique identity protection capabilities, which provide deep visibility into authentication traffic across the enterprise.
Unlike traditional security solutions that rely on endpoint or network logs alone, CrowdStrike Falcon® Next-Gen Identity Security performs real-time inspection of authentication protocols including Kerberos, NTLM, and LDAP traffic. Falcon Next-Gen Identity Security provides comprehensive authentication traffic visibility through: Real-time protocol inspection : Deep inspection of Kerberos, NTLM, and LDAP authentication flows as they occur Built-in behavioral detections : Pre-configured detections that identify anomalous authentication patterns, including the two informational detections used in this correlation Raw traffic forwarding to Falcon Next-Gen SIEM (powered by Falcon LogScale): All authentication traffic is sent to Falcon Next-Gen SIEM, enabling security teams to create custom hunting queries and detection logic tailored to their environment This multi-layered approach enables both automated detection through correlation logic and proactive threat hunting through raw authentication data analysis.
This detection uses behavioral correlation to identify the complete attack chain rather than relying on individual indicators. This approach provides high-confidence detection while minimizing false positives by focusing on the temporal relationship between authentication relay and certificate usage. Individual Detection Components Detection 1: Anomalous Certificate-Based Authentication This detection identifies unusual patterns in certificate authentication like: A user authenticates with a certificate from an endpoint or IP address they haven't used for certificate authentication before.
Figure 2. Detection fired for “Anomalous certificate-based authentication” Detection 2: Unusual Service Access to an Endpoint This detection monitors for abnormal service access patterns like: A user unexpectedly requests a Kerberos service ticket to a target. Figure 3. Detection fired for “Unusual service access to an endpoint” Correlation Logic The alert triggers when both detections occur within a close time and target an AD CS service: Alert conditions: Anomalous certificate-based authentication detected Unusual service access to AD CS endpoint detected Both events involve the same user account Events occur within a short time window To implement this detection capability, customers must manually enable the CRT through the Falcon Next-Gen SIEM platform by navigating to NGS → Monitor and investigate → Rules → Templates and searching for the relevant CRT: “CrowdStrike - Identity - Abnormal Certificate Authentication (CVE-2026-20929).” Mitigation and Protection Strategies The Falcon platform provides comprehensive protection capabilities that directly address these mitigation strategies.
CrowdStrike Falcon® Exposure Management delivers critical visibility for patch management initiatives, enabling organizations to rapidly identify vulnerable systems and prioritize remediation efforts based on actual risk exposure. This capability is essential for implementing the first mitigation strategy effectively, allowing critical patches like the CVE-2026-20929 fix to be deployed systematically across the enterprise.
Falcon Next-Gen Identity Security provides insights into Active Directory environment configurations, surfacing critical security risks that could enable Kerberos relay attacks. It continuously monitors and assesses AD security posture. Beyond configuration assessment, Falcon Next-Gen Identity Security delivers account activity monitoring, including detailed Kerberos authentication tracking and behavioral analysis.
It provides multiple detections that can identify suspicious authentication patterns and potential relay attack attempts in real time. Conclusion CVE-2026-20929 represents a significant threat to organizations by enabling attackers to relay Kerberos authentication through DNS CNAME abuse. While this vulnerability can be exploited against multiple services, the AD CS relay vector is particularly dangerous as it enables attackers to obtain persistent access through certificate-based authentication, bypassing traditional password-based security controls.
Understanding and detecting these attack patterns is crucial to maintaining security integrity in Active Directory environments. The comprehensive Falcon platform provides multiple layers of protection: Real-time alerting when suspicious AD CS access patterns are detected Behavioral correlation detection through advanced analytics that identify the complete attack chain via Falcon Next-Gen SIEM Proactive threat hunting through CrowdStrike Falcon® Adversary OverWatch™ Additional Resources Be part of Fal.Con 2026 and connect with 10,000+ cybersecurity professionals shaping the future of the industry.
Learn more about Falcon Next-Gen Identity Security Falcon Next-Gen SIEM . Related Content Categories CONNECT WITH US FEATURED ARTICLES May 06, 2026 May 05, 2026 SUBSCRIBE Sign up now to receive the latest notifications and updates from CrowdStrike. Sign Up See CrowdStrike Falcon ® in Action Detect, prevent, and respond to attacks— even malware-free intrusions—at any stage, with next-generation endpoint protection.
See Demo Privacy Request Info Contact Us 1.888.512.8906 Accessibility