Privilege exploitation attacks in Microsoft’s Windows Active Directory (AD) Domain environments are expanding their scope and growing in scale to target millions of devices. The Microsoft Security Response Center (MSRC) has recently updated information on security flaws that affect the company’s products and services, highlighting the newly discovered Active Directory Domain Services elevation of privilege vulnerability tracked as CVE-2022–26923.

Detect CVE-2022–26923

To trace any manipulation on the DnsHostName attribute by non-DC account that may be linked to CVE-2022–26923 exploit attempts, utilize the Sigma rule below provided by the team of dedicated developers of SOC Prime:

Possible Domain Privilege Escalation [CVE-2022-26923] Exploitation (via audit)

The detection is available for the 17 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Privilege Escalation and Defense Evasion tactics with Exploitation for Privilege Escalation (T1068) and Valid Accounts (T1078) as the main techniques.

Crafting your own content? Join forces with the world’s largest cyber defense community of 23,000+ SOC experts powered by the Threat Bounty Program, and generate income by sharing your detection content. Tap into the power of the world’s largest repository of SIEM and XDR algorithms to help you keep pace with the ever-evolving threat scenery. 

View Detections Join Threat Bounty

CVE-2022–26923 Description

The newly revealed Active Directory Domain privilege escalation flaw hasn’t been yet exploited in the wild, still its high 8.8. CVSS score points to a high risk it poses to the compromised systems enabling attackers to abuse the certificate issues. CVE-2022–26923 allows manipulating the DnsHostName attribute, which specifies the computer name as it is registered in DNS, and then enables an adversary to obtain a certificate from the AD Certificate Services, potentially leading to elevation of privilege.

For CVE-2022–26923 mitigation and protective measures, Microsoft strongly recommends updating all servers that run AD Certificate Services and Windows domain controllers operating certificate-based authentication to the latest May 10 version. 

The ever-growing attack volume requires ultra-fast speed from cyber defenders to timely respond, which can be achieved faster and more efficiently through the collaborative efforts of the global cybersecurity community. Join SOC Prime’s Detection as Code platform to see in action how the collective expertise of the prominent cybersecurity minds builds up a monolithic body of knowledge giving security teams an immense advantage over attackers.