KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 25 AD Certifried DNS Hostname Manipulation

Query

// =========================================================
// RULE-25 | AD-Certifried-DNSHostname-Manipulation
// Description : Certifried (CVE-2022-26923) attack detection
//               — Event 4742 (Computer Account Changed)
//               where the dNSHostName attribute of a machine
//               account is changed to match the DNS name of
//               an existing Domain Controller.
//               Machine accounts use their dNSHostName for
//               certificate authentication. By setting a
//               machine account's dNSHostName to
//               DC01.corp.local and requesting a Machine
//               certificate, the CA issues a cert identifying
//               as the real DC. PKINIT with that cert → DC
//               TGT → DCSync → domain compromise.
// Severity    : Critical (any DC FQDN match)
//               High     (any dNSHostName change to unusual value)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1098.001 — Account Manipulation: Additional
//               Cloud Credentials
//               T1649     — Steal or Forge Auth Certs
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Known DC FQDNs (derived from Kerberos history)
let KnownDCFQDNs = SecurityEvent
    | where TimeGenerated > ago(3d)
    | where EventID == 4768
    | summarize by DCFQDNLower = tolower(Computer);

// Computer account changes that touch dNSHostName
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4742
| where EventData has "dNSHostName"
| extend
    ActorAccount    = strcat(SubjectDomainName, "\\", SubjectUserName),
    TargetMachine   = strcat(TargetDomainName, "\\", TargetUserName),
    NewDNSHostName  = extract(@"(?i)dnsHostName\s*=\s*([^\s;,]+)", 1, EventData)
| extend
    NewDNSNorm      = tolower(NewDNSHostName),
    IsDCNameMatch   = tolower(NewDNSHostName) in~ (KnownDCFQDNs)
| where isnotempty(NewDNSHostName)
| extend
    Severity = case(
        IsDCNameMatch, "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        "dNSHostName_Changed; ",
        iff(IsDCNameMatch, "New_FQDN_Matches_DC_Certifried_CVE-2022-26923; ", ""),
        "NewDNSHostName: ", NewDNSHostName, "; ",
        "TargetMachine: ", TargetMachine, "; ",
        "Actor: ", ActorAccount
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    ActorAccount,
    TargetMachine,
    NewDNSHostName,
    IsDCNameMatch,
    Computer,
    SubjectUserName,
    SubjectDomainName
| order by Severity asc, TimeGenerated desc

Explanation

This query is designed to detect a specific type of security threat known as the "Certifried" attack (CVE-2022-26923). Here's a simple breakdown of what the query does:

  1. Purpose: The query identifies suspicious changes to the dNSHostName attribute of computer accounts in an Active Directory environment. This is important because such changes can be part of an attack where a machine account is manipulated to impersonate a Domain Controller (DC).

  2. Frequency: The query runs every 15 minutes and looks back at the last 15 minutes of data to catch recent changes.

  3. Data Source: It examines the SecurityEvent table, specifically looking for event ID 4742, which indicates that a computer account has been changed.

  4. Known Domain Controllers: It first identifies known Domain Controller Fully Qualified Domain Names (FQDNs) from recent Kerberos events (event ID 4768) over the past three days.

  5. Detection Logic:

    • It checks for changes to the dNSHostName attribute.
    • It extracts the new dNSHostName and normalizes it to lowercase for comparison.
    • It determines if the new dNSHostName matches any known Domain Controller FQDNs.

  6. Severity Levels:

    • If the new dNSHostName matches a known Domain Controller, the severity is marked as "Critical."
    • Any other unusual change to the dNSHostName is marked as "High."

  7. Output: The query outputs details about the suspicious change, including:

    • The time of the event.
    • The severity level.
    • A description of why the change is suspicious.
    • The account that made the change.
    • The target machine and its new dNSHostName.

  8. Sorting: Results are sorted by severity (ascending) and then by the time of the event (descending).

Overall, this query helps security teams quickly identify and respond to potential domain compromise attempts by monitoring for unauthorized changes to machine account DNS hostnames.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventComputerAccountDomainControllerCertificateAuthenticationActorAccountTargetMachineNewDNSHostNameSubjectUserNameSubjectDomainName

Operators

letago()wheresummarizebytolower()hasextendstrcat()extract()in~isnotempty()case()iff()projectorder byascdesc

Actions