Microsoft is officially deprecating NTLM — yet CVE-2025-24054 was actively exploited days after patching, and the Coercion → Relay → ADCS → Domain Admin chain still works in most enterprise environments. Here's the full 2026 kill chain and how to detect it.
A red team operator joins an internal engagement. No credentials, no exploits — just network access. Eight minutes later, they have a Domain Admin certificate issued by the organization’s own certificate authority. The entire attack used only built-in Windows protocols that Microsoft officially announced it was retiring.
That’s not a scenario from 2019. It happened last quarter. In 2026.
Top comments (0)