Kerberos Authentication Relay via DNS CNAME Abuse

A new technique abuses Kerberos TGS requests and DNS CNAME resolution to allow attackers to impersonate users by relaying authentication tickets. This method, detailed in research by Cymulate, enables lateral movement and privilege escalation, and while Microsoft has patched HTTP-related vulnerabilities (CVE-2026-20929), the core DNS CNAME abuse remains a threat.

Edward Kiledjian @ekiledjian