Threat Upgrade
Important
High
85% Confidence
CrowdStrike Uncovers Kerberos Relay Attack via DNS CNAME Abuse
Summary
CrowdStrike identified a novel Kerberos relay technique where attackers forge DNS CNAME records to bypass authentication. By exploiting domain resolution vulnerabilities, this method redirects Kerberos traffic to malicious servers, requiring correlation of DNS and authentication logs for detection.
Key Takeaways
Attackers manipulate DNS CNAME records to redirect legitimate service domains to malicious servers, triggering Kerberos ticket forwarding. Traditional SPN-based detection may fail as CNAME alterations fall outside standard monitoring.
CrowdStrike proposes a tri-layered detection model: monitoring anomalous CNAME timestamp changes, identifying mismatched client IP and resolved IP addresses, and correlating temporal patterns between Kerberos requests and DNS resolutions.
CrowdStrike proposes a tri-layered detection model: monitoring anomalous CNAME timestamp changes, identifying mismatched client IP and resolved IP addresses, and correlating temporal patterns between Kerberos requests and DNS resolutions.
Why It Matters
The attack surface expands from authentication protocols to DNS infrastructure, requiring enterprises to update detection rules within 48 hours. This technique reveals defensive gaps between identity systems and domain resolution, potentially enabling new ransomware infiltration vectors....