{"id":27413,"date":"2026-06-16T08:28:20","date_gmt":"2026-06-16T06:28:20","guid":{"rendered":"https:\/\/cirosec.de\/?p=27413"},"modified":"2026-06-17T09:57:43","modified_gmt":"2026-06-17T07:57:43","slug":"microsoft-defender-for-identity-evasions-in-2026-part-i","status":"publish","type":"post","link":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/","title":{"rendered":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"27413\" class=\"elementor elementor-27413\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-64413c6f elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"64413c6f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-83b6c92\" data-id=\"83b6c92\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-789c77e6 elementor-widget elementor-widget-template\" data-id=\"789c77e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<header data-elementor-type=\"header\" data-elementor-id=\"6422\" class=\"elementor elementor-6422 elementor-941 elementor-941\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3c20b09 elementor-section-full_width elementor-section-content-middle elementor-section-height-default elementor-section-height-default\" data-id=\"3c20b09\" data-element_type=\"section\" data-e-type=\"section\" id=\"header--sticky\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;sticky&quot;:&quot;top&quot;,&quot;sticky_on&quot;:[&quot;desktop&quot;,&quot;tablet_extra&quot;],&quot;sticky_offset&quot;:0,&quot;sticky_effects_offset&quot;:0,&quot;sticky_anchor_link_offset&quot;:0}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-2c6b6ea\" data-id=\"2c6b6ea\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-920f2b0 elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"920f2b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-b85d260\" data-id=\"b85d260\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-db0098d elementor-widget__width-auto elementor-hidden-desktop elementor-widget elementor-widget-shortcode\" data-id=\"db0098d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-65a0be9 elementor-widget__width-initial elementor-widget-tablet__width-initial elementor-nav-menu--dropdown-mobile elementor-nav-menu--stretch elementor-nav-menu__align-start elementor-widget-mobile__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra elementor-widget-mobile_extra__width-initial elementor-nav-menu__text-align-aside elementor-nav-menu--toggle elementor-nav-menu--burger elementor-widget elementor-widget-nav-menu\" data-id=\"65a0be9\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;full_width&quot;:&quot;stretch&quot;,&quot;layout&quot;:&quot;horizontal&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;toggle&quot;:&quot;burger&quot;}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-horizontal e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t<div class=\"elementor-menu-toggle\" role=\"button\" tabindex=\"0\" aria-label=\"Menu Toggle\" aria-expanded=\"false\">\n\t\t\t<i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--open eicon-menu-bar\"><\/i><i aria-hidden=\"true\" role=\"presentation\" class=\"elementor-menu-toggle__icon--close eicon-close\"><\/i>\t\t<\/div>\n\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-65a0be9\" class=\"elementor-nav-menu\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-7077\"><a href=\"https:\/\/cirosec.de\/en\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16136\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Services<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15941\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9131\"><a href=\"https:\/\/cirosec.de\/en\/services\/consulting-concepts-reviews-and-analyses\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Consulting, Concepts, Reviews and Analyses<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9073\"><a href=\"https:\/\/cirosec.de\/en\/services\/penetration-tests\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Penetration Tests<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9077\"><a href=\"https:\/\/cirosec.de\/en\/services\/red-team-assessments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Red Team Assessments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9076\"><a href=\"https:\/\/cirosec.de\/en\/services\/incident-response-and-forensics\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Response and Forensics<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26842\"><a href=\"https:\/\/cirosec.de\/en\/services\/security-management-and-compliance\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Sec\u00adurity Manag\u00adement and Comp\u00adliance<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9075\"><a href=\"https:\/\/cirosec.de\/en\/services\/selection-implementation-of-products-and-solutions\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Implementation of Products and Solutions<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9078\"><a href=\"https:\/\/cirosec.de\/en\/services\/it-security-training-and-awareness\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Trainings and Awareness<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-16137\"><a href=\"#\" class=\"elementor-item elementor-item-anchor\" tabindex=\"-1\">Trainings<\/a>\n<ul class=\"sub-menu elementor-nav-menu--dropdown\">\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-15940\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Overview<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9092\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/malware-and-ransomware-background-detection-protection-and-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Malware and Ransomware \u2013 Background, Detection, Protection and Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9095\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-microsoft-office-365\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Microsoft Office 365<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9083\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-operating-systems\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Operating Systems<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9082\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-and-hardening-of-windows-infrastructures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking and Hardening of Windows Infrastructures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9084\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9086\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-web-applications\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Web Applications<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9080\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/crash-course-it-and-information-security\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Crash Course IT and Information Security<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-13051\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/nis2-information-security-for-chief-executive-officers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">NIS 2 Training for Management<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9087\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/incident-handling-response\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Incident Handling &amp; Response<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-26257\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/training-in-immediate-measures\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Training in Imm\u00adediate Mea\u00adsures<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9094\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-azure-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in Azure Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9089\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-implementer\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Implementer<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9088\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/iso-27001-lead-auditor\/\" class=\"elementor-sub-item\" tabindex=\"-1\">ISO 27001 Lead Auditor<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9081\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/forensics-extreme\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Forensics Extreme<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9093\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/security-in-aws-cloud-environments\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Security in AWS Cloud Environments<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9091\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-strategists-and-managers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Strategists and Managers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9090\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/it-security-for-developers\/\" class=\"elementor-sub-item\" tabindex=\"-1\">IT Security for Developers<\/a><\/li>\n\t<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9085\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/hacking-extreme-buffer-overflows\/\" class=\"elementor-sub-item\" tabindex=\"-1\">Hacking Extreme Buffer Overflows<\/a><\/li>\n<\/ul>\n<\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9064\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9160\"><a href=\"https:\/\/cirosec.de\/en\/blog\/\" class=\"elementor-item\" tabindex=\"-1\">Blog<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9ee7d03 elementor-widget-mobile__width-auto elementor-hidden-desktop elementor-widget-tablet_extra__width-auto elementor-widget-tablet__width-auto elementor-widget-mobile_extra__width-auto elementor-view-default elementor-widget elementor-widget-icon\" data-id=\"9ee7d03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"icon.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-icon-wrapper\">\n\t\t\t<a class=\"elementor-icon\" href=\"#elementor-action%3Aaction%3Dpopup%3Aopen%26settings%3DeyJpZCI6MTI1MDcsInRvZ2dsZSI6ZmFsc2V9\">\n\t\t\t<i aria-hidden=\"true\" class=\"fas fa-bars\"><\/i>\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-9aaaa68 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"9aaaa68\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-eb812f4 elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-shortcode\" data-id=\"eb812f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div role=\"navigation\" aria-label=\"Language Switcher\" class=\"wpml-ls-statics-shortcode_actions wpml-ls wpml-ls-legacy-dropdown-click js-wpml-ls-legacy-dropdown-click\">\n\t<ul>\n\n\t\t<li class=\" wpml-ls-item-legacy-dropdown-click\">\n\n\t\t\t\t\t\t\t\t\t<a href=\"#\" hreflang=\"\" lang=\"\" class=\"js-wpml-ls-item-toggle wpml-ls-item-toggle\" aria-current=\"page\" aria-expanded=\"false\" aria-controls=\"wpml-ls-submenu-click-default\" aria-haspopup=\"true\" aria-label=\"Language switcher, click to open then tab to navigate\" tabindex=\"0\" role=\"button\" title=\"\">\n\t\t\t\t<\/a>\n\n\t\t\t<ul id=\"wpml-ls-submenu-click-default\" class=\"js-wpml-ls-sub-menu wpml-ls-sub-menu\">\n\t\t\t\t\n\t\t\t\t\t<li class=\"wpml-ls-slot-shortcode_actions wpml-ls-item wpml-ls-item-de wpml-ls-first-item wpml-ls-last-item\">\n\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/\" hreflang=\"de\" lang=\"de\" class=\"wpml-ls-link\" aria-label=\"Switch to German\" title=\"Switch to German\">\n\t\t\t\t\t\t\t                                    <img decoding=\"async\" class=\"wpml-ls-flag lazyload\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" alt=\"German\" loading=\"lazy\" width=\"15\" height=\"9\" data-src=\"https:\/\/cirosec.de\/wp-content\/plugins\/sitepress-multilingual-cms\/res\/flags\/de.svg\"><\/a>\n\t\t\t\t\t<\/li>\n\n\t\t\t\t\t\t\t<\/ul>\n\n\t\t<\/li>\n\n\t<\/ul>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d5c65bb elementor-search-form--skin-minimal elementor-widget__width-auto elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-search-form\" data-id=\"d5c65bb\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;skin&quot;:&quot;minimal&quot;}\" data-widget_type=\"search-form.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<search role=\"search\">\n\t\t\t<form class=\"elementor-search-form\" action=\"https:\/\/cirosec.de\/en\/\" method=\"get\">\n\t\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__container\">\n\t\t\t\t\t<label class=\"elementor-screen-only\" for=\"elementor-search-form-d5c65bb\">Search<\/label>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"elementor-search-form__icon\">\n\t\t\t\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-search\"><\/i>\t\t\t\t\t\t\t<span class=\"elementor-screen-only\">Search<\/span>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\n\t\t\t\t\t<input id=\"elementor-search-form-d5c65bb\" placeholder=\"Search...\" class=\"elementor-search-form__input\" type=\"search\" name=\"s\" value=\"\">\n\t\t\t\t\t<input type='hidden' name='lang' value='en' \/>\n\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/form>\n\t\t<\/search>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-top-column elementor-element elementor-element-071bdb7 elementor-hidden-tablet elementor-hidden-mobile elementor-hidden-tablet_extra elementor-hidden-mobile_extra\" data-id=\"071bdb7\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4d21fed elementor-widget elementor-widget-button\" data-id=\"4d21fed\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-9865c47 e-flex e-con-boxed e-con e-parent\" data-id=\"9865c47\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4efe62d elementor-widget elementor-widget-html\" data-id=\"4efe62d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script>\n\ndocument.addEventListener('DOMContentLoaded', function() {\njQuery(function($) {\nvar mywindow = $(window);\nvar mypos = mywindow.scrollTop();\nlet scrolling = false;\nwindow.addEventListener('scroll', function() {\nscrolling = true;\n});\nsetInterval(() => {\nif (scrolling) {\nscrolling = false;\nif (mypos > 40) {\nif (mywindow.scrollTop() > mypos) {\n$('#header--sticky').addClass('headerup');\n} else {\n$('#header--sticky').removeClass('headerup');\n}\n}\nmypos = mywindow.scrollTop();\n}\n}, 300);\n});\n});\n\n<\/script>\n<style>\n#header--sticky{\ntransition : transform 0.34s ease;\n}\n.headerup{\ntransform: translateY(-110px); \/*adjust this value to the height of your header*\/\n}\n<\/style>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/header>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-632f7504 elementor-reverse-mobile elementor-section-height-min-height elementor-section-items-stretch elementor-section-boxed elementor-section-height-default\" data-id=\"632f7504\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-74adefaa\" data-id=\"74adefaa\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5966c7dd elementor-widget elementor-widget-post-info\" data-id=\"5966c7dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-inline-items elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575 elementor-inline-item\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5b6f9193 elementor-widget elementor-widget-heading\" data-id=\"5b6f9193\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Microsoft Defender for Identity evasions in 2026 \u2013 Part I<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-addb6e7 elementor-widget elementor-widget-spacer\" data-id=\"addb6e7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-171325 elementor-widget elementor-widget-text-editor\" data-id=\"171325\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>June 16, 2026<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-640e8e3d elementor-hidden-mobile_extra elementor-hidden-mobile\" data-id=\"640e8e3d\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2f30bcfd elementor-widget elementor-widget-spacer\" data-id=\"2f30bcfd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2f3797cf elementor-reverse-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2f3797cf\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-2c8da89a\" data-id=\"2c8da89a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-28bbabfe elementor-widget elementor-widget-menu-anchor\" data-id=\"28bbabfe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section1\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c0f9f57 elementor-widget elementor-widget-heading\" data-id=\"6c0f9f57\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Microsoft Defender for Identity evasions in 2026 \u2013 Part I<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3ed6f6aa elementor-widget elementor-widget-text-editor\" data-id=\"3ed6f6aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Introduction<\/h2><p>When it comes to working with Microsoft Defender for Identity (DfI) from an offensive perspective, for instance during a red team assessment, research has already been conducted that highlights detection and evasion possibilities for different alerts. Research was previously done by Synacktiv, for example, for one of the pass-the-cert alerts (\u201cSuspicious certificate usage over Kerberos protocol (PKINIT)\u201d), multiple reconnaissance alerts, alerts for kerberoasting, AS-REP roasting and golden-ticket attacks.<\/p><p>The first part of this blogpost will summarize the research conducted at cirosec during the last few weeks related to DfI\u2019s detection capabilities for high-impact attacks on Active Directory like shadow-credentials, pass-the-cert, ESC8 and DCSync and its respective evasion possibilities. Also, one of DfI\u2019s main components called \u201cNetwork Name Resolution\u201d will be introduced, which is vulnerable to spoofing and relaying in DfI version 2.2, allowing multiple alerts to be evaded. Differentiation will be made and demonstrated between the DfI versions 2.2 and 3.0.\u00a0<\/p><p>The second part of the blogpost will show options for the blue teamer\u2019s perspective and offer alternative possibilities to detect some of the attacks that were performed while using DfI evasion. If you are interested in this, the blogpost can be found here: <a href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-ii\/\" target=\"_blank\" rel=\"noopener\">Microsoft Defender for Identity evasions in 2026 \u2013 Part II<\/a>.\u00a0<\/p><p>When talking about \u201cevasion\u201d in this blogpost, the term is defined in two ways. The first is when the detection logic for a part of an attack does not exist, which can be used to evade alerting DfI in general. The other definition of evasion is when performing an attack and actively misleading existing detection logics to evade the alert.<strong>\u00a0<\/strong><\/p><h2>Defender for Identity &#8211; architecture and overview<\/h2><p>Microsoft DfI is one of the main components of the Microsoft Defender XDR solution besides other security products like Microsoft Defender for Endpoint and Defender for Office 365. DfI aims to help organizations to detect identity-related attacks across on-premises Active Directory. To accomplish that task, DfI collects different signals from the network through its agents, which are placed at the most critical Windows servers. The identity signals gathered by these agents are transferred into the Microsoft Defender XDR portal, where a correlation of these signals with data from other products like Defender for Endpoint happens, which can highlight ongoing attacks, starting from one endpoint, going across the domain against sensitive targets like domain controllers.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-42747652 elementor-widget elementor-widget-image\" data-id=\"42747652\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure1.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure1\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MjQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMS5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"382\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27424 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure1-768x458.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure1-768x458.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure1-300x179.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure1.png 801w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Microsoft Defender XDR (https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/pilot-deploy-overview)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6840f930 elementor-widget elementor-widget-text-editor\" data-id=\"6840f930\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The following Windows server rolls for DfI deployment are currently supported:<\/p><ul><li>Active Directory &#8211; Domain Services (AD DS)<\/li><li>Active Directory &#8211; Certificate Services (AD CS)<\/li><li>Active Directory &#8211; Federation Services (AD FS)<\/li><li>Entra Connect server<\/li><\/ul><h2>Laboratory setup<\/h2>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d60bd7 elementor-widget elementor-widget-image\" data-id=\"4d60bd7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure2.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure2\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MjYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMi5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img decoding=\"async\" width=\"640\" height=\"598\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27426 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure2-768x717.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure2-768x717.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure2-300x280.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure2.png 967w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 2: Lab setup<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-3ba7ab0\" data-id=\"3ba7ab0\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-32562b7 elementor-widget elementor-widget-image-box\" data-id=\"32562b7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><div class=\"elementor-image-box-title\">Jakob Scholz<\/div><p class=\"elementor-image-box-description\">Consultant<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-45dfe742 elementor-widget elementor-widget-heading\" data-id=\"45dfe742\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Category<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-69409034 elementor-widget elementor-widget-post-info\" data-id=\"69409034\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"about\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-terms\">\n\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-post-info__terms-list\">\n\t\t\t\t<span class=\"elementor-post-info__terms-list-item\">Red Teaming<\/span>, <span class=\"elementor-post-info__terms-list-item\">Windows<\/span>\t\t\t\t<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1bbd1225 elementor-widget elementor-widget-heading\" data-id=\"1bbd1225\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Date<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3ef38b48 elementor-widget elementor-widget-post-info\" data-id=\"3ef38b48\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"post-info.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<ul class=\"elementor-icon-list-items elementor-post-info\">\n\t\t\t\t\t\t\t\t<li class=\"elementor-icon-list-item elementor-repeater-item-59da575\" itemprop=\"datePublished\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-icon-list-text elementor-post-info__item elementor-post-info__item--type-date\">\n\t\t\t\t\t\t\t\t\t\t<time>2026-06-16<\/time>\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t<\/li>\n\t\t\t\t<\/ul>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7ead91d0 elementor-widget elementor-widget-heading\" data-id=\"7ead91d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Navigation<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bbc863 elementor-widget elementor-widget-table-of-contents\" data-id=\"5bbc863\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;headings_by_tags&quot;:[&quot;h2&quot;,&quot;h3&quot;,&quot;h4&quot;],&quot;exclude_headings_by_selector&quot;:[],&quot;marker_view&quot;:&quot;bullets&quot;,&quot;icon&quot;:{&quot;value&quot;:&quot;fas fa-chevron-right&quot;,&quot;library&quot;:&quot;fa-solid&quot;},&quot;no_headings_message&quot;:&quot;No headings were found on this page.&quot;,&quot;hierarchical_view&quot;:&quot;yes&quot;,&quot;min_height&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;min_height_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"table-of-contents.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"elementor-toc__5bbc863\" class=\"elementor-toc__body\">\n\t\t\t<div class=\"elementor-toc__spinner-container\">\n\t\t\t\t<i class=\"elementor-toc__spinner eicon-animation-spin eicon-loading\" aria-hidden=\"true\"><\/i>\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-616081d3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"616081d3\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-27d8cdaf\" data-id=\"27d8cdaf\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-52caa2c2 elementor-widget elementor-widget-menu-anchor\" data-id=\"52caa2c2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"info-event\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1069f8aa elementor-widget elementor-widget-menu-anchor\" data-id=\"1069f8aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section2\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7ad317f4 elementor-widget elementor-widget-menu-anchor\" data-id=\"7ad317f4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"section3\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-881fc18 elementor-widget elementor-widget-text-editor\" data-id=\"881fc18\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Looking at the initial lab setup, there are two domain controllers (DC) in the DfI versions 2.2 and 3.0, and a certificate authority (CA) is provided, too. Besides that, there are two clients: a domain-joined Windows workstation called PC02 and a Kali client that is not domain joined. Both clients represent an attacker on the network. The domain controllers with the two different versions of DfI allow to test against both of them.<\/p><p>The alerts covered in this blogpost don\u2019t have a learning period, meaning there is no baseline that must be learned over a given time about what normal or unnormal network activities are. They behave on \u201cstatic\u201d conditions, making the alert work from the beginning of the setup. The information whether an alert has a learning period is shown at the DfI documentation <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/alerts-mdi-classic\" target=\"_blank\" rel=\"noopener\">here<\/a>, at least for alerts classified as \u201cDfI classic alerts\u201d. Microsoft is moving the DfI classic alerts during an ongoing transition to \u201cDfI XDR Alerts\u201d, where less information is provided.<\/p><p>Another aspect to consider is the endpoint where attacks are carried out. Since Defender XDR correlates information between its different security products, it can even detect attacks that are evaded \u201cDfI-wise\u201d, for instance when the corresponding tool to perform an attack is recognized at an endpoint that is monitored through Defender for Endpoint. Since the focus was on DfI only, in the lab, PC02 is set up without Defender for Endpoint.<\/p><p>All of the results shown in this blogpost were generated between November 1, 2025 and February 1, 2026 and are based on the laboratory setup, which does not represent an enterprise environment. Therefore, DfI and the results may behave differently in a productive environment.<\/p><h2>Shadow credentials<\/h2><h3>Attack overview<\/h3><p>The shadow-credentials attack makes use of the <em>msDS-KeyCredentialLink <\/em>(KCL) attribute. This attribute can be used to store public keys and link them to the corresponding user or computer object, allowing for Kerberos authentication. When an attacker gets into a position where he can write the KCL attribute for another user or computer, he can essentially store his own public key there, making it possible to authenticate with the certificate as these entities. The authentication is done over the Kerberos extension for \u201cPublic Key Cryptography for initial authentication\u201d (PKINIT) by presenting the certificate. The following weaknesses and evasion options occur in DfI versions 2.2 and 3.0.<\/p><h3>General detection requirements<\/h3><p>Talking about the alerting possibilities, there are two different alerts, and it must be distinguished between three different scenarios when looking at DfI\u2019s detection capabilities. These scenarios differ regarding which entity is setting a shadow credential to which entity. The relevant difference in the entities is the target type, i.e. whether it\u2019s a user object or a computer object.<\/p><p>A general requirement for DfI to identify a shadow-credentials attack is the correct auditing on the domain controllers. The event 5136 \u201cA directory service object was modified\u201d is required in order to make DfI capable of knowing that the KCL attribute, where the public key (shadow credential) is stored, was modified.<\/p><h3>User to user<\/h3><p>In the first scenario, a user is able to set a shadow credential for another user. There seems to be nearly no detection logic for this. A user can set a shadow credential for another user, except for the AD built-in administrator (S-1-5-&lt;domain&gt;-500), without raising the alert.<\/p><p>When setting a shadow credential (in this case for the built-in administrator (S-1-5-&lt;domain&gt;-500)), the first thing to happen is the event that occurs and is evaluated by DfI:\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7c4692a elementor-widget elementor-widget-image\" data-id=\"7c4692a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure3.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure3\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MjgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMy5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"447\" height=\"472\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27428 lazyload\" alt=\"\" sizes=\"(max-width: 447px) 100vw, 447px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure3.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure3.png 447w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure3-284x300.png 284w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 3: Shadow credential \u2013 event 5136<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4e6f3714 elementor-widget elementor-widget-text-editor\" data-id=\"4e6f3714\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If done for the built-in administrator, the alert for setting a shadow credential is raised:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5d91711f elementor-widget elementor-widget-image\" data-id=\"5d91711f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure4\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MzAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlNC5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"360\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27430 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4-768x432.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4-768x432.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4-300x169.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4-1024x576.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure4.png 1420w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 4: Shadow credential alert: Suspected account takeover using shadow credentials<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e0a3dbb elementor-widget elementor-widget-text-editor\" data-id=\"e0a3dbb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>For all other kinds of user objects &#8211; even when high privileged through group membership \u2013 shadow credentials can be set without alerting DfI. In the tests, the users for which a shadow credential has been set were members of the following groups:<\/p><ul><li>Administrators<\/li><li>Domain Admins<\/li><li>Enterprise Administrators<\/li><li>Group Policy Creator Owners<\/li><li>Schema Admins<\/li><\/ul><h3>User to computer<\/h3><p>The second scenario to consider is writing a shadow credential from the user context to a computer object. Here, a distinction between sensitive and non-sensitive computer objects can be made. Computer objects seen as sensitive and instantly alerted when a shadow credential is set for them are Windows servers with the following rolls:<\/p><ul><li>Active Directory &#8211; Domain Services (AD DS)<\/li><li>Active Directory \u2013 Certificate Services (AD CS)<\/li><li>Active Directory \u2013 Federation Services (AD FS)<\/li><li>Entra Connect server<\/li><\/ul><p>This list is not exhaustive, and more server roles could be affected. But regular workstations that don\u2019t hold a Windows server role seem to be classified as non-sensitive by Microsoft, and shadow credentials can be set without any alerting.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-026a0c5 elementor-widget elementor-widget-menu-anchor\" data-id=\"026a0c5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"computertocomputer\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-25c395f elementor-widget elementor-widget-menu-anchor\" data-id=\"25c395f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"computertocomputer\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cdaa0f5 elementor-widget elementor-widget-text-editor\" data-id=\"cdaa0f5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Computer to computer<\/h3><p>Using authentication-coercions combined with NTLM relaying can be used by an attacker to authenticate as a foreign computer, allowing to write shadow credentials for the impersonated computer. This is because computer objects have the legitimate right to self-edit their KCL attribute.<\/p><p>In a coercion attack, a third-party machine account can be forced to authenticate via NTLM to a target of the attacker&#8217;s choosing. The attacker can forward this authentication information to another target via NTLM relaying and can thus impersonate the relayed machine account. Extensive information about these two attack techniques can be found in the following two blogposts: <a href=\"https:\/\/en.hackndo.com\/ntlm-relay\/#preliminary\" target=\"_blank\" rel=\"noopener\">NTLM Relay<\/a> and <a href=\"https:\/\/blog.redteam-pentesting.de\/2025\/windows-coercion\/\">The Ultimate Guide to Windows Coercion Techniques in 2025<\/a>.<\/p><p>The context here is different when compared to writing a shadow credential from a user identity to a computer: A machine account is writing the shadow credentials for itself, and there also exists a legitimate mechanism making use of it, which may be the reason why no shadow-credentials alert is raised when setting one for a sensitive computer object like a DC or a CA through NTLM relaying. Windows enables the possibility of \u201c<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/domain-joined-device-public-key-authentication\" target=\"_blank\" rel=\"noopener\">domain-joined device public key authentication<\/a>\u201d, which allows a computer to perform Kerberos authentication using key trust. When certain requirements are met like the device is running Credential Guard or TPM existence, the device can create a key pair and store the public key in its KCL attribute.<\/p><p>When performing the attack, it must be kept in mind that there are alerts in DfI targeting NTLM-relaying and authentication-coercions attacks. But as described there is no detection for the shadow-credentials attack itself, when talking about the NLTM relay scenario, where the identity of the computer object is used to write the shadow credential to that computer.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dfa9ea9 elementor-widget elementor-widget-menu-anchor\" data-id=\"dfa9ea9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"shadow-credentials\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4245747 elementor-widget elementor-widget-text-editor\" data-id=\"4245747\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Shadow-credentials alert through PKINIT<\/h3><p>The second alert that can be triggered in the context of a shadow-credentials attack is called \u201cShadow Credential Added to Account and used for Authentication\u201d. This alert depends on another alert, namely the alert: \u201cSuspicious certificate usage over Kerberos protocol (PKINIT)\u201d. This alert is triggered when DfI detects that the usage of a certificate over the PKINIT extension is done by an attacker, namely as pass-the-cert attack, which is explained in the next section. When redeeming the set shadow credential to retrieve a Ticket Granting Ticket (TGT), which is done over the PKINIT extension of the Kerberos protocol, the set shadow credential can be detected retroactively by detecting the pass-the-cert attack. This extends the possibilities to detect shadow credentials set to user objects, which, as said previously, was nearly impossible. But the problem with this alert is that it depends on another alert, which makes it less robust. In summary, someone who can evade the alert for \u201cSuspicious certificate usage over Kerberos protocol (PKINIT)\u201d will automatically evade the alert for \u201cShadow Credential Added to Account and used for Authentication\u201d.<\/p><h2>Pass-the-cert attack<\/h2><h3>Attack overview<\/h3><p>When having obtained a certificate through a shadow-credentials attack or an ADCS-ESC vulnerability, an attacker can use this certificate to request a TGT, authenticating him as the victim in whose context the certificate was created. The ADCS-ESC vulnerabilities refer to a range of misconfigurations possible for the Active Directory Certificate Services. See the whitepaper from Specter Ops <a href=\"https:\/\/specterops.io\/wp-content\/uploads\/sites\/3\/2022\/06\/Certified_Pre-Owned.pdf\" target=\"_blank\" rel=\"noopener\">Certified Pre-Owned<\/a> for more information.<\/p><h3>Reviewing existing evasion possibility<\/h3><p>DfI comes with a detection logic for this attack, in which it tries to determine if an offensive tool like Rubeus was used to build the Authentication Service request (AS-REQ). The AS-REQ is the initial Kerberos message sent by a client to the Key Distribution Center (KDC) to request a TGT and initiate the authentication process. The detection is done by looking at the way how the ticket was requested. Synacktiv has done the research for the respective alert \u201cSuspicious certificate usage over Kerberos protocol (PKINIT)\u201d and found out that the indicators used by DfI to tell if an AS-REQ is built in a legitimate way or by an attacking tool are the eTypes. The eTypes are supported encryption types suggested by the client to encrypt the Kerberos tickets. Those suggested by Rubeus when building an AS-REQ are unique, making it easy for DfI to fingerprint that Rubeus was used.<\/p><p>The eTypes that are common in legitimate applications and can be used to bypass this alert are listed in Synacktiv\u2019s blogpost <a href=\"https:\/\/www.synacktiv.com\/en\/publications\/understanding-and-evading-microsoft-defender-for-identity-pkinit-detection\" target=\"_blank\" rel=\"noopener\">here<\/a>. The evasion was still working at the time of writing this article in March 2026 for DfI versions 2.2 and 3.0. The following Wireshark dump shows the AS-REQ when built with an adjusted version of Rubeus, using legitimate eTypes:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6bd70073 elementor-widget elementor-widget-image\" data-id=\"6bd70073\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure5.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure5\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MzIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlNS5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"520\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27432 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure5-768x624.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure5-768x624.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure5-300x244.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure5.png 871w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 5: AS-REQ with legitimate eTypes<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-19f7841e elementor-widget elementor-widget-text-editor\" data-id=\"19f7841e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Taking a deeper look at the detection logic<\/h3><p>Interestingly, this tool-based detection, where DfI tries to figure out if an AS-REQ is suspicious by inspecting the eTypes, is the second part of the detection chain for this alert. Before DfI investigates the suggested eTypes, it checks whether the creation time of the certificate is bigger or lower than two hours. This is done using the value <em>NotBefore<\/em> inside the certificate, which indicates the date on which the certificate becomes valid. The tool-based detection is only applied for certificates created during the last two hours. If the <em>NotBefore<\/em> value indicates that the certificate\u2019s creation time is bigger than two hours, no further investigation is done by DfI, even if an unmodified version of Rubeus using the standard eTypes is used, which could be fingerprinted.<\/p><h3>Shadow credentials and PKINIT<\/h3><p>The awareness of that behaviour opens up another attack vector. If someone could modify the <em>NotBefore<\/em> value of a certificate that is used for Kerberos client authentication, they could bypass the whole detection chain. Certificates gained through ADCS-ESC-related attacks, e.g. ESC1, will be signed by the CA and cannot be modified without breaking the signature, which would result in the certificate getting rejected by the KDC when requesting the TGT. But for a self-signed certificate, which results from setting a shadow credential, the <em>NotBefore<\/em> value could be adjusted to a value in the past, make it look like the creation date was different. This could be done by using Michael Grafnetter\u2019s DSInternals PowerShell module with the following code snippet from <a href=\"https:\/\/github.com\/MichaelGrafnetter\/DSInternals\/blob\/master\/Documentation\/PowerShell\/Get-ADKeyCredential.md\" target=\"_blank\" rel=\"noopener\">here<\/a>. This makes it possible to write a shadow credential while having the possibility to modify the self-signed certificate. The following part of the script generates a self-signed certificate:<\/p><pre>$upn = 'ADM@jsc.lab'<br \/>$ownerDN = 'CN=ADM,OU=Test_User,DC=jsc,DC=lab'<br \/>$userSid = 'S-1-5-21-1605340795-4164095229-358834758-7125'<br \/>$deviceID = (New-Guid)<br \/>$certificateSubject = '{0}\/{1}\/{2}' -f $userSid, $deviceID, $upn<br \/><br \/>$certificate = New-SelfSignedCertificate -Subject $certificateSubject `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -KeyLength 2048 `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -Provider 'Microsoft Strong Cryptographic Provider' `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -CertStoreLocation Cert:\\CurrentUser\\My `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -NotBefore (Get-Date).AddHours(-2)`<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -NotAfter (Get-Date).AddYears(30) `<br \/><br \/>-TextExtension '2.5.29.19={text}false', '2.5.29.37={text}1.3.6.1.4.1.311.20.2.2' `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -SuppressOid '2.5.29.14' `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -KeyUsage None `<br \/>\u00a0\u00a0\u00a0\u00a0\u00a0 -KeyExportPolicy Exportable<\/pre><p>The relevant part for the evasion is to set the <em>NotBefore <\/em>parameter to a value in the past:<\/p><pre>-NotBefore (Get-Date).AddHours(-2)<\/pre><p>After the creation of the certificate, a key credential link can be extracted from it, suitable to be set in the KCL attribute as a shadow credential:<\/p><pre>$ngcKey = Get-ADKeyCredential -Certificate $certificate -DeviceId $deviceID -OwnerDN $ownerDN -CreationTime (Get-Date)<br \/><br \/>Set-ADObject -Identity $ngcKey.Owner -Add @{'msDS-KeyCredentialLink' = $ngcKey.ToDNWithBinary()}<\/pre><p>As discussed in the section about shadow credentials, in part \u201c<a href=\"#shadow-credentials\" data-wplink-edit=\"true\">Shadow-credentials alert through PKINIT<\/a>\u201d, the creation of a shadow credential can be detected through the subsequent authentication against the KDC when DfI classifies the authentication as malicious, which then also results in the alert for shadow credentials. As shown in this section, the pass-the-cert alert can also be bypassed by waiting two hours or making the certificate look like it\u2019s older than two hours, but this only applies to self-signed certificates. Eventually, this makes it possible to evade the pass-the-cert alert when creating shadow credentials, which also results in evading the alert for setting the shadow credential.<\/p><h2>Network Name Resolution (NNR)<\/h2><p>Network Name Resolution (NNR) is a core component for several alerts to work, but is vulnerable to spoofing and relaying, making it possible to evade multiple alerts.<\/p><p>The DfI <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/nnr-policy\" target=\"_blank\" rel=\"noopener\">documentation<\/a> describes NNR as follows:<br \/>\u201c<em>Using NNR, Defender for Identity can correlate between raw activities (containing IP addresses), and the relevant computers involved in each activity. Based on the raw activities, Defender for Identity profiles entities, including computers, and generates security alerts for suspicious activities<\/em>\u201d.<\/p><p>NNR works by requesting the NetBIOS host and domain name as well as the DNS name from the IP address, from where a potential attack occurred, using three different primary methods:<\/p><ul><li>NTLM over RPC (TCP port 135)<\/li><li>NetBIOS (UDP port 137)<\/li><li>Remote desktop protocol (TCP port 3389)<\/li><\/ul><p>There also exists a secondary method, which is used if there is no response from any of the primary methods or if there\u2019s a conflict in the responses received from two or more primary methods. The secondary option makes use of DNS. The DfI agent will make a reverse DNS lookup of the IP address to get the hostname of the machine.<\/p><p>By using these methods, DfI can tell the origin of the suspicious traffic and map it to a computer hostname, making it possible to distinguish between an attack or legitimate behavior. How knowing the hostname of the suspicious computer helps DfI determine if an attack occurred is explained in the next section using one alert whose detection logic is based on NNR.<\/p><h3>NNR in action: Suspected suspicious Kerberos ticket request<\/h3><p>Using an example to see the inner working of NNR and its weakness, it can be continued to obtain TGTs by using certificates. While having already discussed the alert \u201cSuspicious certificate usage over Kerberos protocol (PKINIT)\u201d, there is another alert when trying to request a TGT by offering a certificate via PKINIT. This alert is called \u201cSuspected suspicious Kerberos ticket request\u201d and has an interesting scope. The research has shown that it is only applied when trying to authenticate as a domain controller machine account using a certificate.<\/p><p>For this example, it is assumed that the adversary is on PC02.jsc.lab (172.16.94.11) and has managed to get a certificate valid for DC02 allowing Kerberos client authentication, for instance through shadow credentials or an ADCS-ESC vulnerability. When the attacker from PC02 uses the certificate to authenticate as DC02$ against DC01.jsc.lab, the DfI agent at DC01 will send NNR requests to the source IP address from which the AS-REQ for DC02 request originated, which is 172.16.94.11. This is done to determine if DC02 is actually at this IP address. The described flow is illustrated in the following image:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c2d5680 elementor-widget elementor-widget-image\" data-id=\"c2d5680\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure6.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure6\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MzQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlNi5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"357\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27434 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure6.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure6.png 701w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure6-300x167.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 6: NNR flow<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-412d2084 elementor-widget elementor-widget-text-editor\" data-id=\"412d2084\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The only information the DfI agent has before starting the investigation using NNR is an AS-REQ requesting a TGT for DC02 and the source IP address of the suspicious machine. The AS-REQ provides a valid certificate with the subject DC02$, indicating that the certificate belongs to DC02$. The requester has also sent the signed timestamp, giving proof of possession of the private key.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3c03ff elementor-widget elementor-widget-image\" data-id=\"b3c03ff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure7\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MzYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlNy5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"721\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27436 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7-768x865.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7-768x865.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7-266x300.png 266w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7-909x1024.png 909w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure7.png 917w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 7: AS-REQ DC02$<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-74d9a05 elementor-widget elementor-widget-text-editor\" data-id=\"74d9a05\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Therefore, it makes sense to have a detection logic for that kind of request. An AS-REQ for a domain controller machine account must originate from the source IP address of the respective domain controller, in the case of Kerberos authentication. If a TGT for a domain controller machine account is requested from a machine that is not the domain controller itself, as indicated by network attributes such as IP address and hostname, this strongly indicates that an adversary has obtained a valid certificate, which would be explainable through attacks like shadow-credentials or ADCS-ESC-related attacks.<\/p><h3>Inspection of NNR primary methods<\/h3><p>Continuing with the example from above, specific actions are happening on DC01 and PC02 when the attacker performs an AS-REQ for DC02 against the KDC on DC01 starting from PC02. The DfI agent\u2019s reaction on DC01 (172.16.94.1) to the incoming AS-REQ is inspected using Procmon:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5b94dcad elementor-widget elementor-widget-image\" data-id=\"5b94dcad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure8.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure8\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0MzgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlOC5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"88\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27438 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure8.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure8.png 752w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure8-300x41.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 8: DfI sensor process performing NNR<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-44d6be32 elementor-widget elementor-widget-text-editor\" data-id=\"44d6be32\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\u201cMicrosoft.Tri.Sensor.exe\u201d is the relevant process of DfI, which performs the NNR. The first two entries 1.) and 2.) are requests and responses to PC02 using NetBIOS &#8211; UDP port 137. Entries 3.), 4.), 5.) and 6.) are responsible for the NNR method using the endpoint mapper &#8211; TCP port 135. Entry 7.) uses RDP &#8211; TCP port 3389. \u00a0<\/p><p>When monitoring PC02, the incoming NNR requests can be noticed, where each source port can be mapped to the source ports in figure 8:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-24b08189 elementor-widget elementor-widget-image\" data-id=\"24b08189\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure9.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure9\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NDAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlOS5wbmcifQ%3D%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"164\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27440 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure9.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure9.png 751w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure9-300x77.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 9: NBNS node status request<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-840e604 elementor-widget elementor-widget-text-editor\" data-id=\"840e604\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The NetBIOS request from the DfI agent to port 137 on PC02 can be noticed in figure 9. Furthermore, we can see the request at the DCE\/RPC endpoint mapper on TCP port 135:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-52561f0f elementor-widget elementor-widget-image\" data-id=\"52561f0f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure10.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure10\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NDIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTAucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"125\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27442 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure10-768x150.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure10-768x150.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure10-300x58.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure10.png 873w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 10: NTLM over RPC<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8753232 elementor-widget elementor-widget-text-editor\" data-id=\"8753232\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Eventually, there is the connection to RDP on TCP port 3389:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7971918 elementor-widget elementor-widget-image\" data-id=\"7971918\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure11.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure11\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NDQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTEucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"165\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27444 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure11.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure11.png 703w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure11-300x77.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 11: RDP<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-257bda9f elementor-widget elementor-widget-text-editor\" data-id=\"257bda9f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>NNR method: NetBIOS node status request<\/h3><p>The NetBIOS request done by DfI is a so-called NetBIOS node status request, which is a unicast request to retrieve NetBIOS-related information about an endpoint. The NetBIOS node status response from PC02 contains information about its NetBIOS hostname, the NetBIOS domain name and the NetBIOS service type. The hostname and domain name are the relevant information which is used by the DfI agent to answer the previous question of whether the computer with IP address 172.16.91.11 (PC02) is in fact DC02. Since PC02 is not DC02, the NetBIOS-related information from PC02 will lead DfI to alert this attack.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fc77cce elementor-widget elementor-widget-image\" data-id=\"fc77cce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure12.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure12\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NDYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"473\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27446 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure12-768x567.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure12-768x567.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure12-300x222.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure12.png 826w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 12: NetBIOS node status response (PC02)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1c209d32 elementor-widget elementor-widget-text-editor\" data-id=\"1c209d32\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The three highlighted areas in figure 12 contain the discussed information that is essential for the detection logic. Each entry corresponds to a registered name, which are three in total. The first name \u201cJSC&lt;00&gt; (Workstation\/Redirector)\u201d states that the NetBIOS domain name is \u201cJSC\u201d, and the service type is 0x00, which represents a workstation. The two other names just differ in the service types, while 0x20 indicates a file service. \u201cPC02&lt;00&gt; (Workstation\/Redirector)\u201d indicates the NetBIOS hostname is \u201cPC02\u201d.<\/p><p>The NetBIOS request generated by DfI can also be triggered by using the native Windows tool nbtstat by using nbtstat -A &lt;ip&gt;. The result can be seen in the following image, containing the same information as when inspecting the NetBIOS request through Wireshark:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cfe4d7a elementor-widget elementor-widget-image\" data-id=\"cfe4d7a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure13.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure13\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NDgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTMucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"401\" height=\"234\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27448 lazyload\" alt=\"\" sizes=\"(max-width: 401px) 100vw, 401px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure13.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure13.png 401w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure13-300x175.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 13: NetBIOS node status request using nbtstat<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec6f7b9 elementor-widget elementor-widget-text-editor\" data-id=\"ec6f7b9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The alert can even be inspected before appearing in the Defender XDR portal, by looking into the local logging files. These are stored at \u201cC:\\Program Files\\Azure Advanced Threat Protection Sensor\\2.255.XXXXX.XXXXX\\Logs\\Microsoft.Tri.Sensor.log\u201d at the DC. The collected information can be found in the log file:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-42fbb06 elementor-widget elementor-widget-image\" data-id=\"42fbb06\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure14.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure14\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NTAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTQucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"133\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27450 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure14-768x160.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure14-768x160.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure14-300x62.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure14.png 908w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 14: Alert: \u201cSuspected suspicious Kerberos ticket request\u201d in logs<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-21828dd elementor-widget elementor-widget-text-editor\" data-id=\"21828dd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The log file indicates an alert triggered by the use of a certificate for one machine account on another computer. The highlighted items \u201cCertificateSubject=DC02$\u201d and \u201cSourceAccountName=jsc.lab\\DC02$\u201d is the information extracted from the AS-REQ and the provided certificate. \u201cSourceComputerName=DomainName=JSC Name=PC02\u201d is obtained from the NetBIOS node status response<em>.<\/em> These are the key values for the detection logic. If the NetBIOS hostname and NetBIOS domain name don\u2019t match to the certificate subject and account name, like in this case, the alert is raised. If the values match, no alert will be raised.<\/p><h2>Evasion using NetBIOS<\/h2><p>Since the detection logic for the alert \u201cSuspected suspicious Kerberos ticket request\u201d was uncovered, evasion possibilities can be considered.<\/p><p>There are two possibilities to evade the alert or more generally, to manipulate NNR. The first is to spoof a NetBIOS response to the DfI agent directly by specifying the needed NetBIOS information and answering the NetBIOS node status request. The other option is to take the incoming NetBIOS request from the DfI agent, relay it to the desired target and relay the response back to the DfI agent.<\/p><h3>Relaying the NetBIOS node status request<\/h3><p>To understand the relaying of the NetBIOS request, refer to the following two diagrams:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6730f0c elementor-widget elementor-widget-image\" data-id=\"6730f0c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure15.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure15\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NTIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTUucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"605\" height=\"636\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27452 lazyload\" alt=\"\" sizes=\"(max-width: 605px) 100vw, 605px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure15.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure15.png 605w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure15-285x300.png 285w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 15: AS-REQ<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d92d31d elementor-widget elementor-widget-image\" data-id=\"d92d31d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure16.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure16\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NTQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTYucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"472\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27454 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure16-768x566.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure16-768x566.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure16-300x221.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure16.png 891w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 16: Relaying of NetBIOS node status request\/response<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bf50723 elementor-widget elementor-widget-text-editor\" data-id=\"bf50723\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>After the request of the TGT (1 &amp; 2), DfI will start using NNR and asking the sender for its NetBIOS node status (3). A malicious actor can relay the NetBIOS request to the target to which that TGT would belong, which is DC02 (4) in the example. The response from DC02 can be relayed back over PC02 to DC01 (6). This will result in evading the detection since the AS-REQ and certificate indicates DC02$ as the subject and the NetBIOS information from the machine that performed the AS-REQ seems to match to DC02, from the perspective of the DfI agent on DC01.<\/p><p>The relaying of the NetBIOS method can be performed in a PoC using the Python library Scapy.<\/p><pre>def relay_nbns_node_status_request(pkt):<br \/> \u00a0\u00a0 dc01_ip = \"172.16.94.1\"<br \/> \u00a0\u00a0 dc02_ip = \"172.16.94.4\"<br \/> \u00a0\u00a0 udp_src_port = pkt[UDP].sport<br \/> \u00a0\u00a0 dc01_nbns_node_status_request = pkt[NBNSHeader]<br \/><br \/>\u00a0\u00a0\u00a0 dc02_nbns_node_status_response =<br \/> \u00a0\u00a0 sr1(IP(dst=dc02_ip)\/UDP()\/dc01_nbns_node_status_request)<br \/><br \/> \u00a0\u00a0 dc02_nbns_node_status_response = dc02_nbns_node_status_response[NBNSHeader]<br \/> \u00a0\u00a0 send(IP(dst=dc01_ip)\/UDP(dport=udp_src_port)\/dc02_nbns_node_status_response)<\/pre><p>The function takes a network package as argument (pkt), which must be sniffed before; this can be done with Scapy. In the first block, the relevant IP addresses and the UDP source port from which the package originated are saved as well as the extraction of the NetBIOS node status request from DC01.<\/p><p>The second block builds the NetBIOS node status request for DC02, sends it to DC02 and also receives the response \u2013 the NetBIOS node status response. The last block builds the response to DC01 and sends it.<\/p><p>When using nbtstat on DC01 again to retrieve the NetBIOS information from PC02, it can be seen that it was possible to successfully tamper with the NetBIOS node status request. PC02 (172.16.94.11) is now appearing to be DC02.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-43d2547 elementor-widget elementor-widget-image\" data-id=\"43d2547\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure17.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure17\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NTYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTcucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"401\" height=\"249\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27456 lazyload\" alt=\"\" sizes=\"(max-width: 401px) 100vw, 401px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure17.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure17.png 401w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure17-300x186.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 17: Tampered NetBIOS node status response PC02 (relayed)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-186169b elementor-widget elementor-widget-text-editor\" data-id=\"186169b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This way to perform the evasion using relaying has some advantages, but also certain disadvantages when compared with the second method, which will be presented next.<\/p><p>First of all, doing the evasion this way is fast and straightforward, because it\u2019s not necessary to care about the different values like NetBIOS hostname and NetBIOS domain name since the NetBIOS node request is directly answered by the correct target. This also comes with the advantage that the NetBIOS node response is 100 % accurate compared to when manually spoofing a NetBIOS node response, where values that are not important to the evasion may be ignored or overlooked, potentially generating indicators of compromise (IOCs). The above image shows that one example is the MAC address. While the MAC address is not critical to DfI\u2019s detection logic, it can be ignored when manually crafting a NetBIOS node status response but theoretically leads to IOCs for malicious actions.<\/p><p>The biggest disadvantage for this approach is the fact that it depends on the availability of another target\u2019s (in this case another DC\u2019s) port, here UDP 137, to retrieve it\u2019s NetBIOS information. When it\u2019s not possible to reach the target on UDP port 137, for instance due to firewalling or network issues, no NetBIOS information can be relayed back to the initial requester, resulting in failing the evasion. Therefore, the manual crafting of NetBIOS node status responses is discussed, too.<\/p><h3>Spoofing the NetBIOS node status response<\/h3><p>While it can be differentiated technically between relaying a request to receive a correct response or just building the correct response oneself, it\u2019s essentially resulting in the same: a spoofed response is sent. In this case, it\u2019s discussed how to build a spoofed NetBIOS node response to DfI with the relevant information. This can also be done by using Scapy:<\/p><pre>def send_spoofed_nbns_node_status_response(pkt):<br \/>sample_nbns_node_status_response = (rdpcap(r\"PC02_nbns_node_status_response.pcap\"))[0]<br \/> \u00a0\u00a0 udp_src_port = pkt[UDP].sport<br \/> \u00a0\u00a0 transaction_id = pkt[UDP][NBNSHeader].NAME_TRN_ID<br \/><br \/>spoofed_nbns_node_status_response = sample_nbns_node_status_response[NBNSHeader]<br \/>spoofed_nbns_node_status_response.NAME_TRN_ID = transaction_id<br \/>  \u00a0\u00a0spoofed_netbios_host_name = 'DC02'.ljust(15, \" \")<br \/> \u00a0\u00a0 spoofed_nebtios_domain_name = 'JSC'.ljust(15, \" \")<br \/><br \/>for index, nbns_entry in enumerate(spoofed_nbns_node_status_response.NODE_NAME):<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if nbns_entry.NAME_FLAGS == 0x04: # UNIQUE<br \/>spoofed_nbns_node_status_response.NODE_NAME[index].NETBIOS_NAME = spoofed_netbios_host_name<br \/> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 elif nbns_entry.NAME_FLAGS == 0x84: # GROUP<br \/>spoofed_nbns_node_status_response.NODE_NAME[index].NETBIOS_NAME = spoofed_nebtios_domain_name<br \/><br \/>\u00a0\u00a0\u00a0 send(IP(dst=dfi_agent_ip)\/UDP(dport=udp_src_port)\/<br \/> \u00a0\u00a0 spoofed_nbns_node_status_response)<\/pre><p>As a basis, a sample of a NetBIOS node status response from PC02 was captured and saved as PCAP file. This file can be loaded and used for further processing. Besides, the UDP source port and the transaction ID of the incoming request are saved.<\/p><p>In the second block, the node status response is adjusted with the correct transaction ID, and the spoofed NetBIOS names are prepared. The NetBIOS names are specified as 16 bytes fixed length, padded with spaces, while the last byte is the suffix for the service type that is already set in the sample. The last block adjusts the NetBIOS node status response to use the spoofed NetBIOS names.<\/p><p>The result can be seen in the comparison displayed below, while the left image equals the original NetBIOS node status from PC02 and the right image shows the spoofed response that was generated with the script. The NetBIOS domain name stays \u201cJSC\u201d since it was already set.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b719ab8 elementor-widget elementor-widget-image\" data-id=\"b719ab8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure18.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure18\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NTgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTgucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"402\" height=\"232\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27458 lazyload\" alt=\"\" sizes=\"(max-width: 402px) 100vw, 402px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure18.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure18.png 402w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure18-300x173.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 18: Original node status PC02 <\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0fb2256 elementor-widget elementor-widget-image\" data-id=\"0fb2256\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure19.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure19\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NjAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMTkucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"406\" height=\"236\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27460 lazyload\" alt=\"\" sizes=\"(max-width: 406px) 100vw, 406px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure19.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure19.png 406w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure19-300x174.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 19: Spoofed node status PC02<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f4e1110 elementor-widget elementor-widget-text-editor\" data-id=\"f4e1110\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>When inspecting the result of the spoofed response, differences can be noticed between the spoofed and the relayed attempt. When the relaying attempt is used, there is one more registered NetBIOS name. The entry \u201cJSC &lt;1C&gt; GROUP Registered\u201d is missing when spoofing the DC02 node status response, like it was done with the previous script. The missing entry with the service type 1C is indicating that this node is a domain controller inside the domain (JSC). While this seems to be a relevant criterion to DfI, when it comes to telling whether some requests originate from a domain controller, like it\u2019s the case for the alert: \u201cSuspected suspicious Kerberos ticket request\u201d, it is not. The alert has the limited scope to identify a suspicious request for a TGT domain controller machine account that was not requested from the DC itself. It is not relevant whether the node is registered as domain controller inside the domain; the evasion is working by just spoofing the correct NetBIOS hostname and domain name. This may be explainable through the fact that the two other NNR methods cannot indicate whether one endpoint is registered as a domain controller by a raw, single value, like it\u2019s the case for the NetBIOS node status. Additionally, the detection logic is designed to work with just one NNR method active in the environment, which means that every method must be able to detect all threats independently of the other NNR methods, but with the same reliability.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-93475ac elementor-widget elementor-widget-image\" data-id=\"93475ac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure20.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure20\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NjIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjAucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"246\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27462 lazyload\" alt=\"\" sizes=\"(max-width: 400px) 100vw, 400px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure20.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure20.png 400w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure20-300x185.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 20: Tampered NetBIOS node status response PC02 (relayed)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7723d1 elementor-widget elementor-widget-text-editor\" data-id=\"d7723d1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Additional considerations when evading NNR<\/h2><h3>Windows endpoint considerations<\/h3><p>To perform an evasion when working with NNR, there are two more things to consider than just spoofing the NetBIOS node status response. DfI mustn\u2019t receive any NNR responses from the actual operating system (OS) by the machine used by the attacker for the attack and the evasion. When performing the evasion technique with the provided scripts, there would be a race condition between the script-generated, spoofed response and the OS-generated legitimate response. To avoid the race condition, it\u2019s possible to block incoming traffic to the destination ports used for NNR on the attacker machine. The Windows firewall allows to create rules for incoming traffic, but it must be noted that local administrator privileges are required to modify the Windows firewall. Scapy works with using Npcap, allowing to sniff and inject traffic onto the network interface, independently from the Windows OS and therefore the firewall, too. Using that approach, it\u2019s possible to send spoofed NNR responses to the DfI agent while supressing the Windows OS from answering the NNR requests.<\/p><p>The other thing to think of are the two other NNR methods. When inspecting the NNR <a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/nnr-policy\" target=\"_blank\" rel=\"noopener\">documentation<\/a>, it can be seen that it\u2019s recommended when configuring DfI to open up at least one of the related ports on all devices in the environment to allow for at least one primary method to work. This means DfI can perform detection when only one of the NNR methods is answered, which allows to just respond to the NetBIOS method, while ignoring the two others. This can also be done by blocking the required ports on the attacker machine. \u00a0<\/p><h3>Cached NNR responses by Defender for Identity<\/h3><p>Another thing to consider when attempting to evade NNR-based detection is the caching of NNR responses. DfI agents in sensor version 2.2 frequently ask domain-joined devices for their hostnames with the described NNR requests and cache this information, independently of whether suspicious traffic was received from the devices. If the DfI agent is holding newly cached NNR information about one machine and a suspected attack from this machine happens, the cached information can be used, instead of asking the machine directly. This comes with a problem when trying to evade an alert that uses NNR. If the DfI agent collected the hostname about the machine right before the attack is performed, the attacker machine may not be asked for its hostname, making the spoofing of the responses impossible, and the evasion would fail. Therefore, the script for spoofing the NNR responses must be running on the machine, and it must be waited until the DfI agent automatically asks for NNR information. Spoofed responses will be sent, effectively poisoning the DfI cache with spoofed information. Now the attack with the respective NNR detection logic can be performed, and two scenarios can happen: The DfI agent uses the spoofed, cached information or the attacker machine is asked for its NNR information and spoofed responses can be sent. Both will result in successfully evading the alert.<\/p><h2>Indicators of Defender for Identity 2.2 usage in the environment<\/h2><p>It can be attempted to fingerprint DfI in version 2.2 when having control over a domain-joined machine. As described above, DfI frequently queries domain-joined devices in the domain for their hostnames using NNR requests. Having the access required to sniff the network interface on a compromised host, it can be looked for the three primary methods of NRR: NetBIOS node status request, RDP and NTLM over RPC originating from a Windows server that could run DfI. Specific characteristics about the RDP and NTLM over RPC messages, which help to identify DfI 2.2, are described in the section \u201c<a href=\"#ReviewingNNRmethods\">Reviewing the remaining NNR methods<\/a>\u201d. The certainty with which it can be said that a Windows server is running DfI v.2.2 depends on the number of related ports that are open on the attacker machine and on the network. The three NNR requests are sent together as a bundle. If all three ports are open, essentially all three messages arrive as a \u201cbundle\u201d, presenting a high likelihood that it\u2019s from DfI. If we assume that two ports are closed and just UDP port 137 is open, it\u2019s not possible to say with high certainty that this request is from DfI, when just receiving a single NetBIOS node status request.<\/p><h2>ADCS-ESC8<\/h2><p>DfI also comes with an alert for the ACDS-ESC8 attack. To detect this attack, it\u2019s required that DfI is installed on the related CA.<\/p><h3>Attack overview<\/h3><p>This attack technique is aimed against the Active Directory Certificate Services (AD CS), allowing an attacker who is capable of performing a NLTM-relaying attack of a machine account to obtain a certificate valid to be used for Kerberos authentication in the name of the impersonated machine account. Additionally, some requirements must be met to make the CA\u2019s web enrolment endpoint vulnerable to this attack. For further information check out the white paper from Specter Ops: <a href=\"https:\/\/www.specterops.io\/assets\/resources\/Certified_Pre-Owned.pdf\" target=\"_blank\" rel=\"noopener\"><em>Certified Pre-Owned: Abusing Active Directory Certificate Services<\/em><\/a>.<\/p><p>This time, the actor is on kali.jsc.lab (172.16.94.13) performing the attack. The attack scenario looks like this:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4292776 elementor-widget elementor-widget-image\" data-id=\"4292776\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure21.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure21\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NjQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjEucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"473\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27464 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure21-768x567.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure21-768x567.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure21-300x221.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure21.png 890w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 21: ADCS-ESC8 simplified overview<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-018304f elementor-widget elementor-widget-text-editor\" data-id=\"018304f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Note that the ESC8 attack consists of using an authentication-coercion attack and NTLM relay, which is only represented in a simplified way in this image. What happens effectively is the following:<\/p><ul><li>The Kali machine forces the DC01 machine account to authenticate at the Kali machine using NTLM (1)<\/li><li>In step (2) and (3), Kali performs the authentication via NTLM as DC01 against the CA<\/li><li>In step (4), the attacker obtains a certificate in the name of DC01, which allows for later Kerberos authentication<\/li><\/ul><h3>Evading ESC8 using NNR<\/h3><p>The detection logic for the alert also depends on the NNR feature. This time, the DfI agent installed on the CA02 is responsible for performing the detection. The question to be answered is whether the requestor of the certificate for DC01 is indeed DC01. The issuing of the certificate for DC01$ happened between the Kali machine and the CA. Therefore, DfI will investigate if the IP address 172.16.94.13 belongs to DC01, using NNR.<\/p><p>Assuming no evasion technique is used and the Kali machine responds to the NNR requests, the flow would look as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb3f3ab elementor-widget elementor-widget-image\" data-id=\"fb3f3ab\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure22.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure22\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NjYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjIucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"580\" height=\"622\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27466 lazyload\" alt=\"\" sizes=\"(max-width: 580px) 100vw, 580px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure22.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure22.png 580w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure22-280x300.png 280w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 22: NNR flow after ESC8<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c7d12c6 elementor-widget elementor-widget-text-editor\" data-id=\"c7d12c6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Using the previously described evasion technique for NNR, the ESC8 alert \u201cSuspicious Domain Controller certificate request (ESC8)\u201d can be evaded by pretending to be the machine account in whose context the certificate was requested. In this example, that machine account is DC01. While using the ESC8 attack, the detection capabilities for different coercion attacks and NTLM relay must be considered, too.<\/p><h3>Comparing NNR usage for ESC8 to NTLM-relayed shadow credentials<\/h3><p>An interesting inconsistent usage of the NNR feature by DfI can be observed when comparing ESC8 with relayed shadow credentials. In the shadow credentials section, in part \u201c<a href=\"#computertocomputer\">Computer to computer<\/a>\u201d, it was said that shadow credentials can be set for machine accounts without triggering an alert when this is done over a NTLM-relayed connection. The question arising in the shadow-credentials scenario is the same as in the ESC8: \u201cIs the request performed by the actual machine associated with the machine account, or by a different machine that successfully authenticated as that machine account via NTLM\u201d. But for relayed shadow credentials, no NNR requests are sent to the machine from which the traffic for setting the shadow credential originated.<\/p><h2>DCSync<\/h2><h3>Attack overview<\/h3><p>DCSync attack refer to an attacker who has control over an entity that has the high privileges in the domain necessary to replicate parts of the domain. When having access to such an entity, which could be a domain controller machine account or a high privileged service account with the replication rights or a domain administrator, an attacker can obtain sensitive data. For example, he could receive the AES key of the krbtgt user, which is used to encrypt and sign TGTs inside the domain, allowing him to create golden tickets and persist himself.<\/p><p>The alert for DCSync is also vulnerable to spoofing NNR responses since its detection logic builds on NNR. But for the evasion possibilities, it must be distinct from the identity that performs the DCSync. While domain controllers always have the replications right, user and service accounts can also be permitted.<\/p><h3>Evading DCSync alert using domain controller machine account<\/h3><p>When performing DCSync attacks using the identity of a domain controller machine account, the detection is the same as for the alert \u201cSuspected suspicious Kerberos ticket request\u201d and the ESC8 alert, and the evasion works in the same way, too. If the attacker has obtained a TGT for DC02, the DCSync attack can be performed against DC01, answering the incoming NNR requests, pretending to be DC02 and vice versa.<\/p><h3>Considerations for evading DCSync alert using service and user accounts<\/h3><p>While detection and evasion of DCSync attack using domain controller machine account is reliable, it cannot be definitely tested for service and user accounts as the detection by DfI is unreliable for those types of accounts.<\/p><p>But there is a theory of one detection criterion that is used for these accounts. When successfully triggering DfI for a DCSync alert using a self-created, non-default service or user account, the alert appears in the portal with the following information: \u201cPC02 is not a recognized domain controller\u201d (see figure 23). The attacks in the tests were performed with the identities of a self-created service account and a user account holding the replication rights and were done from PC02 against DC01. Adding the information that NNR requests are also made to machines from which DCSync attacks originate when using service or user accounts, it can be suspected that originating from any domain controller may be considered legitimate when performing a DCSync attack. Unfortunately, the detection of DCSync attacks with these accounts is unreliable, making it hard to tell if an evasion is successfully performed.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b03c604 elementor-widget elementor-widget-image\" data-id=\"b03c604\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure23\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NjgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjMucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"558\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27468 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23-768x669.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23-768x669.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23-300x261.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23-1024x892.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure23.png 1173w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 23: DCSync alert with service account<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-00e09d9 elementor-widget elementor-widget-menu-anchor\" data-id=\"00e09d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"ReviewingNNRmethods\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c37b739 elementor-widget elementor-widget-text-editor\" data-id=\"c37b739\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Reviewing the remaining NNR methods<\/h2><p>The focus in this blogpost is on the NNR method using NetBIOS. However, if UDP port 137 is not configured to be open on the network, NetBIOS cannot be used to evade the respective alerts, since the NetBIOS node request will never be received by the attacker and therefore, cannot be answered with a spoofed response. Consequently, the other two methods must also be inspected.<\/p><h3>Remote desktop protocol (RDP)<\/h3><p>Another primary method is the usage of RDP. According to documentation, \u201cRDP (TCP port 3389) &#8211; only the first packet of Client hello\u201d is used to perform the name resolution. No RDP connection is established; the DfI agent initiates a TLS handshake based on port 3389, acting as a client to the suspected attacker machine and sending the \u201cClient Hello\u201d message. If the machine is configured to listen on TCP port 3389, it will respond with the \u201cServer Hello\u201d message. Part of that message is the machine\u2019s RDP certificate with extended key usage for server authentication, allowing to authenticate against the client. The RDP certificate used for this purpose can be found at the local machine\u2019s certificate store at \u201ccert:\\LocalMachine\\Remote Desktop\u201d. By default, this is an auto-generated self-signed certificate, using the FQDN of the machine as subject and issuer. To get information related to the domain- and hostname from one machine in order to compare it with the information provided in the discussed attacks like pass-the-cert for domain controller, ESC8 or DCSync, the same technique is used as it was done with NetBIOS. This time, DNS-related information is obtained, using that NNR technique. In this case, the subject of the provided certificate is used to resolve the IP address from a potential attacker\u2019s machine to domain and hostnames.<\/p><p>DfI accepts the certificate to gain the FQDN of the machine even if it is self-signed, which provides the possibility to answer to the NNR request with a spoofed, self-signed certificate. This request could also be relayed to the desired target by the attacker but requires having the RDP port open. \u00a0<\/p><p>In the following image the flow can be seen using a spoofed certificate indicating that PC02\u2019s (172.16.94.11) FQDN is DC02.jsc.lab:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6b15a07 elementor-widget elementor-widget-image\" data-id=\"6b15a07\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure24.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure24\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NzAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjQucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"101\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27470 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure24.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure24.png 762w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure24-300x47.png 300w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 24: Connection to port 3389 on PC02 by DfI<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a033cad elementor-widget elementor-widget-image\" data-id=\"a033cad\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure25.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure25\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NzIsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjUucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"531\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27472 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure25-768x637.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure25-768x637.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure25-300x249.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure25.png 937w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 25: Spoofed certificate in RDP NNR method<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ab130db elementor-widget elementor-widget-text-editor\" data-id=\"ab130db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>NTLM over RPC<\/h3><p>The last primary method uses the endpoint mapper on TCP port 135. When a client needs to call a Windows service, for example WMI, it first contacts the endpoint mapper on port\u202f135 to discover on which dynamic port the requested service is actually listening. The mapper then returns that high port, and the client connects to it to complete the RPC exchange. In the case of DfI, a bind request is sent to the suspected malicious machine asking to bind on the RCP interface to the name service provider (NSPI) while using the NLTM security provider to authenticate. The response sent from the suspected machine contains the information relevant to DfI, while information related to the RCP interface and the binds is irrelevant since DfI cares only about about the information required to resolve host- and domain names. This information is included in the part where the NTLM negotiation happens. Besides the NTLM server challenge, the machine gives information about its NetBIOS and DSN names to DfI. At this particular time, no authentication happened between DfI and the machine and no tamper protection is included in these messages. This also allows the manipulation and spoofing of these messages to evade NNR detection. The two messages exchanged can be seen below: <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cfb97f0 elementor-widget elementor-widget-image\" data-id=\"cfb97f0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure26.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure26\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NzQsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjYucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"471\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27474 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure26-768x565.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure26-768x565.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure26-300x221.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure26.png 1017w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 26: NTLM over RCP NNR method<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9b3d740 elementor-widget elementor-widget-text-editor\" data-id=\"9b3d740\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Secondary method: DNS lookup<\/h3><p>When the primary methods (NetBIOS, RDP, NTLM over RPC) fail, a DNS lookup is used. This is the case if there is no response from any of the primary methods or if there\u2019s a conflict in the responses received from two or more primary methods. Inspecting the DfI agent using Procmon, the described behavior is as follows:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-11a9455 elementor-widget elementor-widget-image\" data-id=\"11a9455\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure27.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure27\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NzYsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjcucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"129\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27476 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure27-768x155.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure27-768x155.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure27-300x60.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure27.png 785w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 27: Secondary method: DNS lookup<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-59db856 elementor-widget elementor-widget-text-editor\" data-id=\"59db856\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>In the upper highlighted area, the three primary methods can be seen, while no connection to \u201cPC02\u201d could be established using these protocols and no NNR response will be received. The second area shows that two DNS requests are made by the DfI agent. The exact request made can be seen in Wireshark, when monitoring the loopback interface on DC01:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-abb9e6f elementor-widget elementor-widget-image\" data-id=\"abb9e6f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure28\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0NzgsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjgucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"54\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27478 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28-768x65.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28-768x65.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28-300x25.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28-1024x86.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure28.png 1104w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 28: DNS lookup by DfI agent<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a7f372e elementor-widget elementor-widget-text-editor\" data-id=\"a7f372e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The first request is a reverse DNS lookup, using the IP address from which the suspected attack originated to receive the hostname of the machine. The second request is a forward DNS lookup using the received hostname, serving as a secondary verification step to check whether the initial IP address is returned again.<\/p><h2>Reviewing the impact of NNR vulnerability<\/h2><p>It was discussed how the flaw in NNR could be exploited, leading to an evasion of alerts that rely on NNR. The impact of that vulnerability can also be rated by the number of alerts that are affected by it. Microsoft writes: \u201cNNR data is crucial for detecting the following threats:\u201d<\/p><ul><li>Suspected identity theft (pass the ticket)<\/li><li>Suspected DCSync attack (replication of directory services)<\/li><li>Network-mapping reconnaissance (DNS)<\/li><\/ul><p>Which means that at least three alerts depend on NNR to be triggered. While the DCSync alert appears here, there are two additional alerts not shown in this list that rely on NNR, as previously discussed. These two are the ADCS-ESC8 alert \u201cSuspicious Domain Controller certificate request (ESC8)\u201d and the pass-the-cert alert for domain controller machine account \u201cSuspected suspicious Kerberos ticket request\u201d. This makes at least five alerts in total, and there may be more alerts using NNR as detection technique.<\/p><p>It should be noted that NNR working in that way only applies to DfI version 2.X. DfI in version 3.0 uses NNR but does not include the attacker machine in its detection logic. For performing the name resolution, the defender device inventory is used, which is outside of the attacker\u2019s control. The device inventory is a centralized overview of all discovered devices in the organization. The device information is collected through multiple of Microsoft\u2019s security products like DfI and Defender for Endpoint.<\/p><h3>Defender for Identity deployment overview<\/h3><p>Furthermore, it can be inspected which Windows server can run DfI sensors in version 3.0 and which remains at version 2.2 to get a better idea of the risk posed by NNR.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e661eca elementor-widget elementor-widget-image\" data-id=\"e661eca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29.png\" data-elementor-open-lightbox=\"yes\" data-elementor-lightbox-title=\"Figure29\" data-e-action-hash=\"#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0ODAsInVybCI6Imh0dHBzOlwvXC9jaXJvc2VjLmRlXC93cC1jb250ZW50XC91cGxvYWRzXC8yMDI2XC8wNlwvRmlndXJlMjkucG5nIn0%3D\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"640\" height=\"483\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium_large size-medium_large wp-image-27480 lazyload\" alt=\"\" sizes=\"(max-width: 640px) 100vw, 640px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29-768x579.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29-768x579.png 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29-300x226.png 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29-1024x771.png 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2026\/06\/Figure29.png 1058w\">\t\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">  Figure 29: DfI sensor deployment overview (https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/deploy\/deploy-defender-identity)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-44c5770 elementor-widget elementor-widget-text-editor\" data-id=\"44c5770\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>First, only domain controllers can use the sensor in version 3.0. The CA, Federation server and Entra connect server remain in sensor version 2.2. This makes alerts that are generated from DfI agents running on these servers and depending on NNR vulnerable to being evaded.<\/p><p>For domain controllers the usage of version 3.0 is only possible when running as Windows Server 2019 or higher and when Microsoft Defender for Endpoint is enabled on that Windows Server.<\/p><h2>Disclosure to Microsoft MSRC<\/h2><p>A security advisory about the flaw in the core feature NNR affecting DfI version 2.2 was disclosed to Microsoft via the MSRC portal on February 22, 2026. The vulnerability was not recognized by Microsoft and was reasoned to be below the bar for immediate servicing. As far as the answer from MSRC can be interpreted, no fix will be issued.<\/p><h2>Conclusion<\/h2><p>While this blogpost focused on alerts that could be evaded, the summary focuses on the results from these investigations. The biggest problem DfI faces are issues related to the involvement of the assumed attacker into the detection logic using indicators to make decisions, controlled by him. This problem can be observed when looking at the pass-the-cert alert, where DfI attempts to detect the attack through attacker-controlled indicators. The problem also becomes evident through the reliance on information provided by self-signed certificates under the attacker control, like the age of a certificate, which is used to determine if further detection logic needs to be applied. Also, the NNR method using RDP relies on information from self-signed certificates and builds decisions on this.<\/p><p>The general problem with the NNR feature in DfI version 2.2 is that it involves the suspected attacker machine while using techniques that do not provide authentication or tamper protection, thereby giving malicious actors the possibility to evade NNR-based detection logic.<\/p><p>Using a trusted database, such as the Defender device inventory, to resolve raw IP addresses to hostnames is a good approach, since it cannot be interfered with by a malicious actor, but it should be available in all DfI versions, not only version 3.0.<\/p><p>Despite various technical issues and the fact that Microsoft does not consider these as vulnerabilities and has no plans to make any changes, security professionals can still take steps to improve security and detectability. This will be described in the second blogpost: <a href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-ii\/\" target=\"_blank\" rel=\"noopener\">Microsoft Defender for Identity evasions in 2026 \u2013 Part II<\/a>.<\/p><h2>References<\/h2><ol><li><a href=\"https:\/\/www.synacktiv.com\/publications\/a-dive-into-microsoft-defender-for-identity\" target=\"_blank\" rel=\"noopener\">https:\/\/www.synacktiv.com\/publications\/a-dive-into-microsoft-defender-for-identity<\/a><\/li><li><a href=\"https:\/\/www.synacktiv.com\/publications\/understanding-and-evading-microsoft-defender-for-identity-pkinit-detection\" target=\"_blank\" rel=\"noopener\">https:\/\/www.synacktiv.com\/publications\/understanding-and-evading-microsoft-defender-for-identity-pkinit-detection<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/nnr-policy\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/nnr-policy<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/pilot-deploy-overview\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/pilot-deploy-overview<\/a><\/li><li><a href=\"https:\/\/specterops.io\/wp-content\/uploads\/sites\/3\/2022\/06\/Certified_Pre-Owned.pdf\" target=\"_blank\" rel=\"noopener\">https:\/\/specterops.io\/wp-content\/uploads\/sites\/3\/2022\/06\/Certified_Pre-Owned.pdf<\/a><\/li><li><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/deploy\/deploy-defender-identity\" target=\"_blank\" rel=\"noopener\">https:\/\/learn.microsoft.com\/en-us\/defender-for-identity\/deploy\/deploy-defender-identity<\/a><\/li><li><a href=\"https:\/\/blog.redteam-pentesting.de\/2025\/windows-coercion\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.redteam-pentesting.de\/2025\/windows-coercion\/<\/a><\/li><li><a href=\"https:\/\/en.hackndo.com\/ntlm-relay\/#preliminary\" target=\"_blank\" rel=\"noopener\">https:\/\/en.hackndo.com\/ntlm-relay\/#preliminary<\/a><\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b8dda6f elementor-widget elementor-widget-menu-anchor\" data-id=\"b8dda6f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"ReviewingNNRmethods\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-347f9b6 elementor-widget elementor-widget-menu-anchor\" data-id=\"347f9b6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"menu-anchor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-menu-anchor\" id=\"computertocomputer\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-4797d269\" data-id=\"4797d269\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3d4d2855 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3d4d2855\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-393e689d\" data-id=\"393e689d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-537120d6 elementor-grid-3 elementor-grid-tablet-2 elementor-grid-mobile-1 elementor-posts--thumbnail-top elementor-card-shadow-yes elementor-posts__hover-gradient load-more-align-center elementor-widget elementor-widget-posts\" data-id=\"537120d6\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;pagination_type&quot;:&quot;load_more_on_click&quot;,&quot;cards_columns&quot;:&quot;3&quot;,&quot;cards_columns_tablet&quot;:&quot;2&quot;,&quot;cards_columns_mobile&quot;:&quot;1&quot;,&quot;cards_row_gap&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:35,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile_extra&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;cards_row_gap_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;load_more_spinner&quot;:{&quot;value&quot;:&quot;fas fa-spinner&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"posts.cards\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-posts-container elementor-posts elementor-posts--skin-cards elementor-grid\" role=\"list\">\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-27413 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming-en category-windows tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"169\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18538 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-300x169.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1024x576.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-768x432.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-1536x864.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-2048x1152.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/\" >\n\t\t\t\tMicrosoft Defender for Identity evasions in 2026 \u2013 Part I\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>June 16, 2026 \u2013 Microsoft Defender for Identity (DfI) is one of Microsoft\u2019s key solutions for detecting identity-based attacks in Active Directory environments &#8211; but how well does it hold up against a skilled attacker? This two-part blog post dives into DfI\u2019s detection capabilities for high-impact attacks such as shadow credentials, pass-the-cert, ESC8, and DCSync. Additionally, it uncovers a spoofing and relaying vulnerability in DfI\u2019s Network Name Resolution component that can be used to evade multiple alerts, and offers blue team perspectives on closing these gaps.<br \/>\n<br \/> <br \/>\nAuthor: Jakob Scholz<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/\" aria-label=\"Read more about Microsoft Defender for Identity evasions in 2026 \u2013 Part I\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-27015 post type-post status-publish format-standard has-post-thumbnail hentry category-pentesting category-red-teaming-en tag-redteaming\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18542 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/towfiqu-barbhuiya-em5w9_xj3uU-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Pentesting<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" >\n\t\t\t\tReife\u00adgrad f\u00fcr Sicherheits\u00ad\u00fcber\u00adpr\u00fcfungen\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>11. Mai 2026 &#8211; Eine kurze Zusammenfassung unseres Vortrags bei den cirosec-TrendTagen zu Pentesting, Assumed Breach, Red Teaming, TLPT &#038; Co.<br \/>\n<br \/>\nAuthor: Michael Br\u00fcgge<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/reifegrad-fur-sicherheitsuberprufungen\/\" aria-label=\"Read more about Reife\u00adgrad f\u00fcr Sicherheits\u00ad\u00fcber\u00adpr\u00fcfungen\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<article class=\"elementor-post elementor-grid-item post-25513 post type-post status-publish format-standard has-post-thumbnail hentry category-red-teaming category-reverse-engineering category-windows tag-redteaming tag-windows\" role=\"listitem\">\n\t\t\t<div class=\"elementor-post__card\">\n\t\t\t\t<a class=\"elementor-post__thumbnail__link\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" tabindex=\"-1\" ><div class=\"elementor-post__thumbnail\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"200\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-medium size-medium wp-image-18585 lazyload\" alt=\"\" sizes=\"(max-width: 300px) 100vw, 300px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-300x200.jpg 300w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1024x683.jpg 1024w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-768x512.jpg 768w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-1536x1024.jpg 1536w, https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/chittima-stanmore-fLCrjOp4BIA-unsplash-2048x1365.jpg 2048w\"><\/div><\/a>\n\t\t\t\t<div class=\"elementor-post__badge\">Red Teaming<\/div>\n\t\t\t\t<div class=\"elementor-post__text\">\n\t\t\t\t<h3 class=\"elementor-post__title\">\n\t\t\t<a href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" >\n\t\t\t\tWindows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\t\t\t<\/a>\n\t\t<\/h3>\n\t\t\t\t<div class=\"elementor-post__excerpt\">\n\t\t\t<p>February 10, 2026 &#8211; In this blog post we will cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set. Spoiler: this is not entirely possible.<br \/>\n<br \/>\nAuthor: Lino Facco<\/p>\n\t\t<\/div>\n\t\t\n\t\t<a class=\"elementor-post__read-more\" href=\"https:\/\/cirosec.de\/en\/news\/windows-instrumentation-callbacks-part-4\/\" aria-label=\"Read more about Windows Instrumen\u00adtation Call\u00adbacks \u2013 Part 4\" tabindex=\"-1\" >\n\t\t\tMehr Infos \u00bb\t\t<\/a>\n\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/article>\n\t\t\t\t<\/div>\n\t\t\t\t\t<span class=\"e-load-more-spinner\">\n\t\t\t\t<i aria-hidden=\"true\" class=\"fas fa-spinner\"><\/i>\t\t\t<\/span>\n\t\t\n\t\t\t\t<div class=\"e-load-more-anchor\" data-page=\"1\" data-max-page=\"3\" data-next-page=\"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27413\/page\/2\/\"><\/div>\n\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t<a class=\"elementor-button elementor-size-sm\" role=\"button\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Load More<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t<\/div>\n\t\t\t\t<div class=\"e-load-more-message\"><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t<div class=\"elementor-element elementor-element-45a6dfb4 e-con-full e-flex e-con e-parent\" data-id=\"45a6dfb4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-73164163 elementor-widget elementor-widget-template\" data-id=\"73164163\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<div data-elementor-type=\"section\" data-elementor-id=\"6023\" class=\"elementor elementor-6023 elementor-2968 elementor-2968\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-3920b242 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"3920b242\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-61cde52c\" data-id=\"61cde52c\" data-element_type=\"column\" data-e-type=\"column\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7eba007 elementor-widget elementor-widget-spacer\" data-id=\"7eba007\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7346d88 elementor-widget elementor-widget-heading\" data-id=\"7346d88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Do you want to protect your systems? Feel free to get in touch with us.<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b0432b elementor-widget elementor-widget-spacer\" data-id=\"1b0432b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-5cdf3c58 elementor-section-content-middle elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5cdf3c58\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-40c99187\" data-id=\"40c99187\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4a1d7b6a elementor-align-right elementor-widget elementor-widget-button\" data-id=\"4a1d7b6a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/inquiry\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Send Enquiry<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-3b9d9ea6\" data-id=\"3b9d9ea6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7e7c4d9b elementor-widget elementor-widget-button\" data-id=\"7e7c4d9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/cirosec.de\/en\/contact-us\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact Details<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-46645088 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"46645088\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-50c057b4\" data-id=\"50c057b4\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4c07ca0d elementor-widget elementor-widget-template\" data-id=\"4c07ca0d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"template.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-template\">\n\t\t\t\t\t<footer data-elementor-type=\"footer\" data-elementor-id=\"6025\" class=\"elementor elementor-6025 elementor-945 elementor-945\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-1e44cc2 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"1e44cc2\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-e9b41ce\" data-id=\"e9b41ce\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-inner-section elementor-element elementor-element-51c0c74 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51c0c74\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-8ac5cc6\" data-id=\"8ac5cc6\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-af371ae elementor-widget elementor-widget-theme-site-logo elementor-widget-image\" data-id=\"af371ae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"theme-site-logo.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t<a href=\"https:\/\/cirosec.de\/en\/\">\n\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"626\" height=\"188\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" class=\"attachment-full size-full wp-image-5868 lazyload\" alt=\"\" sizes=\"(max-width: 626px) 100vw, 626px\" data-src=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png\" data-srcset=\"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png 626w, https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent-300x90.png 300w\">\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-85f2a11 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"85f2a11\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Competent IT security consulting, pentests, incident response and training<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5731ee0 elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"5731ee0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>cirosec GmbH<br \/>Ferdinand-Braun-Stra\u00dfe 4<br \/>74074 Heilbronn, Germany<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-c7c447f\" data-id=\"c7c447f\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-4826023 elementor-widget elementor-widget-heading\" data-id=\"4826023\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Quicklinks<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26d479 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"f26d479\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-f26d479\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9132\"><a href=\"https:\/\/cirosec.de\/en\/about-us\/\" class=\"elementor-item\" tabindex=\"-1\">About us<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9133\"><a href=\"https:\/\/cirosec.de\/en\/services\/\" class=\"elementor-item\" tabindex=\"-1\">Services<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9134\"><a href=\"https:\/\/cirosec.de\/en\/trainings\/\" class=\"elementor-item\" tabindex=\"-1\">Trainings<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9139\"><a href=\"https:\/\/cirosec.de\/en\/secure-email-communication-with-cirosec\/\" class=\"elementor-item\" tabindex=\"-1\">Secure Email Communication with cirosec<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-29e8304\" data-id=\"29e8304\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14232af elementor-widget elementor-widget-heading\" data-id=\"14232af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Social Media<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c23ea92 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"c23ea92\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-c23ea92\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-13039\"><a target=\"_blank\" href=\"https:\/\/www.instagram.com\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Instagram<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9136\"><a target=\"_blank\" href=\"https:\/\/www.xing.com\/pages\/cirosecgmbh\" class=\"elementor-item\" tabindex=\"-1\">Xing<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9137\"><a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cirosec-gmbh\/\" class=\"elementor-item\" tabindex=\"-1\">LinkedIn<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-9138\"><a target=\"_blank\" href=\"https:\/\/twitter.com\/cirosec\" class=\"elementor-item\" tabindex=\"-1\">X (Twitter)<\/a><\/li>\n<li class=\"menu-item menu-item-type-custom menu-item-object-custom menu-item-21563\"><a href=\"https:\/\/infosec.exchange\/@cirosec\" class=\"elementor-item\" tabindex=\"-1\">Mastodon<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-25 elementor-inner-column elementor-element elementor-element-871a164\" data-id=\"871a164\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a46aa52 elementor-widget elementor-widget-heading\" data-id=\"a46aa52\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">Legal<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-50e6031 elementor-nav-menu__align-start elementor-nav-menu--dropdown-none elementor-widget elementor-widget-nav-menu\" data-id=\"50e6031\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;layout&quot;:&quot;vertical&quot;,&quot;submenu_icon&quot;:{&quot;value&quot;:&quot;&lt;i class=\\&quot;fas fa-caret-down\\&quot; aria-hidden=\\&quot;true\\&quot;&gt;&lt;\\\/i&gt;&quot;,&quot;library&quot;:&quot;fa-solid&quot;}}\" data-widget_type=\"nav-menu.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<nav aria-label=\"Menu\" class=\"elementor-nav-menu--main elementor-nav-menu__container elementor-nav-menu--layout-vertical e--pointer-none\">\n\t\t\t\t<ul id=\"menu-1-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<nav class=\"elementor-nav-menu--dropdown elementor-nav-menu__container\" aria-hidden=\"true\">\n\t\t\t\t<ul id=\"menu-2-50e6031\" class=\"elementor-nav-menu sm-vertical\"><li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9146\"><a href=\"https:\/\/cirosec.de\/en\/imprint\/\" class=\"elementor-item\" tabindex=\"-1\">Imprint<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9147\"><a href=\"https:\/\/cirosec.de\/en\/privacy-policy\/\" class=\"elementor-item\" tabindex=\"-1\">Privacy Policy<\/a><\/li>\n<li class=\"menu-item menu-item-type-post_type menu-item-object-page menu-item-9148\"><a href=\"https:\/\/cirosec.de\/en\/cirosec-responsible-disclosure-policy\/\" class=\"elementor-item\" tabindex=\"-1\">cirosec Responsible Disclosure Policy<\/a><\/li>\n<\/ul>\t\t\t<\/nav>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/footer>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>June 16, 2026 \u2013 Microsoft Defender for Identity (DfI) is one of Microsoft\u2019s key solutions for detecting identity-based attacks in Active Directory environments &#8211; but how well does it hold up against a skilled attacker? This two-part blog post dives into DfI\u2019s detection capabilities for high-impact attacks such as shadow credentials, pass-the-cert, ESC8, and DCSync. Additionally, it uncovers a spoofing and relaying vulnerability in DfI\u2019s Network Name Resolution component that can be used to evade multiple alerts, and offers blue team perspectives on closing these gaps.<br \/>\n<br \/> <br \/>\nAuthor: Jakob Scholz<\/p>\n","protected":false},"author":52,"featured_media":18538,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"elementor_canvas","format":"standard","meta":{"footnotes":""},"categories":[36,56],"tags":[68],"class_list":["post-27413","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-red-teaming-en","category-windows","tag-redteaming"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec<\/title>\n<meta name=\"description\" content=\"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec\" \/>\n<meta property=\"og:description\" content=\"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/\" \/>\n<meta property=\"og:site_name\" content=\"cirosec\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-16T06:28:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-17T07:57:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cirosec.Website@cirosec.de\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cirosec.Website@cirosec.de\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"49 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/\"},\"author\":{\"name\":\"Cirosec.Website@cirosec.de\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/eee79b87f8dca8fb8cde312ca2abb4f0\"},\"headline\":\"Microsoft Defender for Identity evasions in 2026 \u2013 Part I\",\"datePublished\":\"2026-06-16T06:28:20+00:00\",\"dateModified\":\"2026-06-17T07:57:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/\"},\"wordCount\":7883,\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg\",\"keywords\":[\"redteaming\"],\"articleSection\":[\"Red Teaming\",\"Windows\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/\",\"name\":\"Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg\",\"datePublished\":\"2026-06-16T06:28:20+00:00\",\"dateModified\":\"2026-06-17T07:57:43+00:00\",\"description\":\"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2024\\\/07\\\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg\",\"width\":2560,\"height\":1440},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/microsoft-defender-for-identity-evasions-in-2026-part-i\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/cirosec.de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Defender for Identity evasions in 2026 \u2013 Part I\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"name\":\"cirosec\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/cirosec.de\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#organization\",\"name\":\"cirosec\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"contentUrl\":\"https:\\\/\\\/cirosec.de\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo_Cirosec_rgb_53x16mm-transparent.png\",\"width\":626,\"height\":188,\"caption\":\"cirosec\"},\"image\":{\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/cirosec.de\\\/en\\\/#\\\/schema\\\/person\\\/eee79b87f8dca8fb8cde312ca2abb4f0\",\"name\":\"Cirosec.Website@cirosec.de\",\"url\":\"https:\\\/\\\/cirosec.de\\\/en\\\/news\\\/author\\\/cirosec-websitecirosec-de\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec","description":"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec","og_description":"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.","og_url":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/","og_site_name":"cirosec","article_published_time":"2026-06-16T06:28:20+00:00","article_modified_time":"2026-06-17T07:57:43+00:00","og_image":[{"width":2560,"height":1440,"url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg","type":"image\/jpeg"}],"author":"Cirosec.Website@cirosec.de","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cirosec.Website@cirosec.de","Est. reading time":"49 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#article","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/"},"author":{"name":"Cirosec.Website@cirosec.de","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/eee79b87f8dca8fb8cde312ca2abb4f0"},"headline":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I","datePublished":"2026-06-16T06:28:20+00:00","dateModified":"2026-06-17T07:57:43+00:00","mainEntityOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/"},"wordCount":7883,"publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg","keywords":["redteaming"],"articleSection":["Red Teaming","Windows"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/","url":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/","name":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I - cirosec","isPartOf":{"@id":"https:\/\/cirosec.de\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#primaryimage"},"image":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#primaryimage"},"thumbnailUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg","datePublished":"2026-06-16T06:28:20+00:00","dateModified":"2026-06-17T07:57:43+00:00","description":"Analysis of MDI detections and evasions for Shadow Credentials, Pass-the-Cert, ESC8, and DCSync, through Network Name Resolution bypass vulnerability.","breadcrumb":{"@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#primaryimage","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2024\/07\/shubham-dhage-v0VjjYYFjOg-unsplash-scaled.jpg","width":2560,"height":1440},{"@type":"BreadcrumbList","@id":"https:\/\/cirosec.de\/en\/news\/microsoft-defender-for-identity-evasions-in-2026-part-i\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/cirosec.de\/"},{"@type":"ListItem","position":2,"name":"Microsoft Defender for Identity evasions in 2026 \u2013 Part I"}]},{"@type":"WebSite","@id":"https:\/\/cirosec.de\/en\/#website","url":"https:\/\/cirosec.de\/en\/","name":"cirosec","description":"","publisher":{"@id":"https:\/\/cirosec.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/cirosec.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/cirosec.de\/en\/#organization","name":"cirosec","url":"https:\/\/cirosec.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","contentUrl":"https:\/\/cirosec.de\/wp-content\/uploads\/2023\/08\/Logo_Cirosec_rgb_53x16mm-transparent.png","width":626,"height":188,"caption":"cirosec"},"image":{"@id":"https:\/\/cirosec.de\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/cirosec.de\/en\/#\/schema\/person\/eee79b87f8dca8fb8cde312ca2abb4f0","name":"Cirosec.Website@cirosec.de","url":"https:\/\/cirosec.de\/en\/news\/author\/cirosec-websitecirosec-de\/"}]}},"_links":{"self":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/users\/52"}],"replies":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/comments?post=27413"}],"version-history":[{"count":100,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27413\/revisions"}],"predecessor-version":[{"id":27632,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/posts\/27413\/revisions\/27632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media\/18538"}],"wp:attachment":[{"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/media?parent=27413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/categories?post=27413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cirosec.de\/en\/wp-json\/wp\/v2\/tags?post=27413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}