RULE 25 AD Certifried DNS Hostname Manipulation
Query
// =========================================================
// RULE-25 | AD-Certifried-DNSHostname-Manipulation
// Description : Certifried (CVE-2022-26923) attack detection
// — Event 4742 (Computer Account Changed)
// where the dNSHostName attribute of a machine
// account is changed to match the DNS name of
// an existing Domain Controller.
// Machine accounts use their dNSHostName for
// certificate authentication. By setting a
// machine account's dNSHostName to
// DC01.corp.local and requesting a Machine
// certificate, the CA issues a cert identifying
// as the real DC. PKINIT with that cert → DC
// TGT → DCSync → domain compromise.
// Severity : Critical (any DC FQDN match)
// High (any dNSHostName change to unusual value)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1098.001 — Account Manipulation: Additional
// Cloud Credentials
// T1649 — Steal or Forge Auth Certs
// Tables : SecurityEvent
// =========================================================
let LookBack = 15m;
// Known DC FQDNs (derived from Kerberos history)
let KnownDCFQDNs = SecurityEvent
| where TimeGenerated > ago(3d)
| where EventID == 4768
| summarize by DCFQDNLower = tolower(Computer);
// Computer account changes that touch dNSHostName
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4742
| where EventData has "dNSHostName"
| extend
ActorAccount = strcat(SubjectDomainName, "\\", SubjectUserName),
TargetMachine = strcat(TargetDomainName, "\\", TargetUserName),
NewDNSHostName = extract(@"(?i)dnsHostName\s*=\s*([^\s;,]+)", 1, EventData)
| extend
NewDNSNorm = tolower(NewDNSHostName),
IsDCNameMatch = tolower(NewDNSHostName) in~ (KnownDCFQDNs)
| where isnotempty(NewDNSHostName)
| extend
Severity = case(
IsDCNameMatch, "Critical",
"High"
),
WhySuspicious = strcat(
"dNSHostName_Changed; ",
iff(IsDCNameMatch, "New_FQDN_Matches_DC_Certifried_CVE-2022-26923; ", ""),
"NewDNSHostName: ", NewDNSHostName, "; ",
"TargetMachine: ", TargetMachine, "; ",
"Actor: ", ActorAccount
)
| project
TimeGenerated,
Severity,
WhySuspicious,
ActorAccount,
TargetMachine,
NewDNSHostName,
IsDCNameMatch,
Computer,
SubjectUserName,
SubjectDomainName
| order by Severity asc, TimeGenerated descExplanation
This query is designed to detect a specific type of attack known as "Certifried" (CVE-2022-26923), which involves manipulating the DNS hostname of a machine account to impersonate a Domain Controller (DC) in a network. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify suspicious changes to the
dNSHostNameattribute of machine accounts, specifically when it is altered to match the DNS name of an existing Domain Controller. This can lead to unauthorized certificate issuance and potential domain compromise. -
Severity Levels:
- Critical: If the new DNS hostname matches a known Domain Controller's Fully Qualified Domain Name (FQDN).
- High: If there is any unusual change to the
dNSHostName.
-
Frequency: The query runs every 15 minutes and looks back at the last 15 minutes of data.
-
Data Source: It analyzes events from the
SecurityEventtable, focusing on Event ID 4742, which indicates a computer account change. -
Known Domain Controllers: The query first identifies known Domain Controller FQDNs by examining past Kerberos authentication events (Event ID 4768) over the last three days.
-
Detection Logic:
- It filters for recent computer account changes involving the
dNSHostName. - It extracts the new DNS hostname and checks if it matches any known Domain Controller FQDNs.
- It assigns a severity level based on whether the new hostname matches a Domain Controller.
- It constructs a descriptive message explaining why the change is suspicious.
- It filters for recent computer account changes involving the
-
Output: The query outputs a list of suspicious events, including details such as the time of the event, severity, reason for suspicion, the actor making the change, the target machine, and the new DNS hostname.
In summary, this query helps detect potential security breaches by monitoring for unauthorized changes to machine account DNS hostnames that could indicate an attempt to impersonate a Domain Controller.
Details

David Alonso
Released: March 24, 2026
Tables
Keywords
Operators