Detecting DnsHostName Spoofing with Microsoft Defender for Identity - Microsoft Tech Community

On May 10th 2022, Microsoft disclosed a severe vulnerability affecting Active Directory environments in all versions of Windows Server. The vulnerability was found by the security researcher Oliver lyak and has been assigned as CVE-2022-26923, which was fixed by Microsoft in the updates described on that page (different KB articles for different operating systems).

The vulnerability can be exploited by attackers impersonating another machine account and issuing a certificate on behalf of that account in AD environments where Active Directory Certificate Services (AD CS) is also installed, resulting in computer account take-over and even domain controller take-over, which effectively grants an attacker a clear path for full domain credentials compromise.

This vulnerability consists of a logical flaw and affects all non-patched Windows versions from the date of this publication. In this blog we will give the required background for understanding the vulnerability and the detection logic that Microsoft Defender for Identity uses to alert security teams when a potential attacker may be attempting to use this exploitation. Let's start with explaining the vulnerability.