Shortly after the critical zero-click OLE vulnerability in Microsoft Outlook (CVE-2025-21298), yet another dangerous security threat has come to light. A recently patched privilege escalation vulnerability affecting Active Directory Domain Services (CVE-2025-21293) has taken a dangerous turn. With a proof-of-concept (PoC) exploit now circulating publicly online, the risk of exploitation has significantly increased. This vulnerability opens the door for attackers to gain system-level privileges within an organization’s Active Directory environment, potentially compromising sensitive operations and data.
Detect CVE-2025-21293 Exploitation Attempts
CVE-2025-21293 stands out for its potential to cause widespread disruption. Active Directory is a fundamental component of corporate environments, from Fortune 500 giants to small businesses, making this vulnerability a serious concern. The public release of a PoC exploit has only increased the urgency for proactive security measures.
With attackers potentially seeking to exploit the flaw, security teams require a reliable source of detection content to spot intrusions on time. SOC Prime Platform for collective cyber defense offers a relevant Sigma rule accompanied by a complete product suite for threat detection and hunting.
Possible Abuse of Performance Counters (via registry_event)
This rule by the SOC Prime Team helps to detect potential exploitation of CVE-2025-21293 or persistence and monitor for unauthorized registry modifications, particularly the creation of subkeys under HKLMSYSTEMCurrentControlSetServicesDnsCache and HKLMSYSTEMCurrentControlSetServicesNetBT.
Additionally, it helps to spot the registration of performance counters linked to unrecognized DLLs, as this may indicate an attempt to execute code with elevated privileges. The detection is compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to MITRE ATT&CK, addressing the Event Triggered Execution (T1546) technique.
Security professionals seeking for more relevant content addressing Proactive Vulnerability Exploitation Detection use case, might access the whole relevant detection stack by hitting the Explore Detections button below.
CVE-2025-21293 Analysis
The vulnerability stems from an issue within Active Directory “Network Configuration Operators” group which is a default security group automatically created during the setup of on-premises domain controllers. While this group is meant to allow users to manage network interfaces without full administrative rights, Microsoft granted it excessive privileges, including the ability to create registry subkeys for critical system services.
With this door wide open, a recently released PoC exploit leverages Windows Performance Counters — a mechanism that allows applications and services to register monitoring routines through performance counter consumers such as PerfMon.exe or WMI. While typically used to track system and application performance, performance counters also provide a pathway for executing custom code via DLLs, as BirkeP, the researcher who revealed the PoC, highlighted.
By exploiting the excessive permissions granted to the “Network Configuration Operators” group, an attacker could register malicious Performance Counter DLLs under the DnsCache service registry key. Once registered, these DLLs could be executed with SYSTEM-level privileges, posing a critical security threat.
CVE-2025-21293 vulnerability was patched by Microsoft in January 2025 during the Patch Tuesday release. Users are strongly recommended to explore the advisory and apply the patch immediately.
As Active Directory remains a fundamental component for identity management, recognizing and mitigating these vulnerabilities is essential. Rely on SOC Prime Platform for proactive vulnerability exploitation and a future-proof defense against any emerging cyber threats using a complete product suite for advanced threat detection, automated threat hunting, and intelligence-driven detection engineering.
The post CVE-2025-21293 Detection: PoC Exploit Released for a Privilege Escalation Vulnerability in Active Directory Domain Services appeared first on SOC Prime.
