A spoofing vulnerability in the Microsoft Defender for Identity (MDI) sensor related to the Lateral Movement Paths (LMPs) feature allows an unauthenticated local network attacker to capture the Net-NTLM hash of the Directory Service Account (DSA). This vulnerability can be exploited to escalate privileges and establish a foothold in Active Directory environments, especially when combined with other security weaknesses. #CVE2025-26685 #MicrosoftDefenderForIdentity #LateralMovementPaths #DirectoryServiceAccount
Keypoints
- NetSPI discovered CVE-2025-26685, a spoofing vulnerability in the MDI sensor that abuses the LMPs feature to capture the Net-NTLM hash of the DSA.
- The attack requires the attacker to have a DNS record linked to their system and to trigger a specific Windows Event on the Domain Controller.
- The MDI sensor authenticates and queries the attacker’s system using the SAM-R protocol, which can be downgraded from Kerberos to NTLM, leaking the DSA’s Net-NTLM hash.
- Captured hashes can be cracked offline, enabling privilege escalation to the DSA account with read access to Active Directory objects.
- The vulnerability can be combined with others, such as ADCS Certificate Authority misconfigurations, to elevate privileges further and access sensitive domain resources.
- Detection strategies include monitoring authentication events not originating from Domain Controllers and tracking ADCS activities like certificate requests and LDAP queries for vulnerable templates.
- Microsoft recommends migrating to the unified XDR sensor which is not vulnerable and advises limiting DSA privileges and disabling LMPs data collection if necessary.
MITRE Techniques
- [T1078] Valid Accounts – Exploitation of the Directory Service Account (DSA) by capturing and cracking the Net-NTLM hash to gain unauthorized access. (‘MDI sensor authenticates to the attacker’s system using the DSA, leaking its Net-NTLM hash’)
- [T1550.001] Use Alternate Authentication Material: Pass the Hash – Relaying captured authentication data to escalate privileges within Active Directory. (‘The authentication can be relayed resulting in the attacker elevating privileges and obtaining a foothold’)
- [T1110] Brute Force – Offline cracking of captured Net-NTLM hashes using tools like Hashcat. (‘The hash can be taken offline for password cracking’)
- [T1486] Data Encrypted for Impact – Though not explicit, capturing credentials leads to further control over AD, enabling malicious activities such as unauthorized certificate issuance. (‘Use Certipy to request certificates and retrieve TGT and NT hash for the DSA account’)
Indicators of Compromise
- [File Hash] Captured Net-NTLM hashes of the Directory Service Account – examples include NTLMv1 and NTLMv2 hash captures from the MDI sensor authentication process.
- [Event ID] Windows Event ID 4624 and 4887 – authentication events and certificate issuance indicating potential exploitation activities.
- [IP/Hostname] Attacker systems with DNS records corresponding to their IP addresses – required for triggering the vulnerability.
- [File Name] Tools such as Certipy, Impacket smbserver, and rpcclient – used in exploiting and relaying the authentication.