Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse

This report analyzes CVE-2026-20929 (CVSS 7.5), a vulnerability that enables Kerberos authentication relay via DNS CNAME/SPN manipulation to target AD CS web enrollment (/certsrv), allowing attackers to obtain long-lived certificates for victim accounts. It explains the DNS/Kerberos attack flow, contrasts this Kerberos-based ESC8 variant with prior NTLM relays, highlights why AD CS is an attractive target (persistence, lack of CBT on HTTP, limited monitoring), and notes detection guidance from CrowdStrike for anomalous certificate-based authentications and AD CS access patterns.