AD Computer Using dNSHostName That Belongs to Another Computer Account
Cayosoft Threat Definition CTD-000046
Tune into Guardians of the Directory Podcast.
Stop AD Threats As They Happen
Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack
Like This Article?
Subscribe to our LinkedIn Newsletter to receive more educational content
Risk Summary
If an attacker changes a computer account’s dNSHostName to match another computer’s, they can impersonate that system and request valid authentication certificates, potentially gaining elevated privileges across the domain.
- Severity: Critical
- Platform: Active Directory
- Category: Account protection
- MITRE ATT&CK Tactics: Privilege Escalation, Credential Access
- MITRE D3FEND Tactics: Domain Account Monitoring
Description
A threat actor might change the dNSHostName attribute of a computer account to the value used by another computer account. By doing so, the attacker could obtain a certificate allowing them to impersonate the legitimate target system. Once impersonation is achieved, the attacker can escalate privileges, access sensitive resources, and move laterally within the environment.
Real-World Scenario
An attacker gains limited access to a compromised computer in an Active Directory environment. They modify its dNSHostName to match that of a Domain Controller. Using this spoofed identity, they request a Kerberos certificate from Active Directory Certificate Services. This certificate is then used to impersonate the Domain Controller account, giving the attacker the ability to create accounts, reset passwords, and replicate sensitive directory data — all while avoiding detection through standard logon monitoring. Cayosoft Guardian detects the hostname change immediately, enabling administrators to investigate before the attacker fully exploits their new privileges.
Stop Privilege Escalation—Then Undo It with Cayosoft Guardian
Real-time alerts across AD & Entra ID with one-click rollback.
How to Detect (Cayosoft Guardian)
1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.
2.) View All Alerts and search for CTD-000046 or AD computer using dNSHostName that belongs to another computer account.
3.) Open any alert and Click for details (from Raise Threat Alert action).
4.) Evidence:
- Object name
- Old DNS Hostname
- New DNS Hostname
Remediation Steps
- ) Investigate suspicious activity of the compromised account using Change History in Cayosoft Guardian.
- ) To protect your environment, complete the following steps for certificate-based authentication:
- ) Update all servers that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication with the May 10, 2022 update (see Compatibility mode). The May 10, 2022 update will provide audit events that identify certificates that are not compatible with Full Enforcement mode.
- ) If no audit event logs are created on domain controllers for one month after installing the update, proceed with enabling Full Enforcement mode on all domain controllers. By November 14, 2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied.
How to Prevent It
Cayosoft Guardian can continuously monitor for dNSHostName changes and alert on suspicious overlaps with other computer accounts. Enforcing certificate-based authentication hardening and promptly applying security updates will reduce the risk of hostname spoofing and privilege escalation.
FAQ
Because it allows attackers to impersonate other systems and request valid authentication certificates. With these certificates, they can gain unauthorized access, escalate privileges, and move laterally across the domain while appearing legitimate.
The update adds certificate mapping enforcement, audit events, and compatibility checks that identify and block improper or duplicate certificate-based authentications, significantly reducing hostname spoofing risks.
Full Enforcement mode strictly blocks authentication attempts that fail strong mapping validation. It should be enabled once you confirm no audit events are triggered during the compatibility period, ensuring only legitimate certificates are accepted.
Yes. Cayosoft Guardian Protector can detect and alert on unauthorized dNSHostName changes or overlaps across Active Directory computer accounts.
Yes. Cayosoft Guardian provides comprehensive detection, alerting, and rollback capabilities to quickly identify and reverse malicious hostname or certificate-based attacks within Active Directory.
References
Final Thought
Hostname spoofing at the computer account level can enable stealthy, high-impact attacks. Proactive detection and enforcement of secure certificate mapping are critical to stopping attackers before they escalate privileges.