This article is contributed. See the original author and article here.
During the November security update cycle, Microsoft released a patch for two new vulnerabilities, CVE-2021-42287 and CVE-2021-42278. Both vulnerabilities are described as a ‘Windows Active Directory domain service privilege escalation vulnerability’.
A few weeks later, on December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.
When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain
As Defender for Identity’s mission is to secure Active Directory and your environment against advanced and sophisticated identity threat attacks, our research team reacted fast and published a query that can be used to identify suspicious behavior leveraging these vulnerabilities. This query can help detect abnormal device name changes (which should happen rarely to begin with) and compare them to a list of domain controllers in your environment.
As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible.
To investigate if these vulnerabilities might have been exploited in your environment before the hotfixes were deployed, we highly recommend you follow the step-by-step guide below.
Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections.
Let’s do a quick dive into each of these vulnerabilities:
CVE-2021-42278 – SAM Name impersonation
Internally, Active Directory (AD) uses several naming schemes for a given object. Like userPrincipalName (UPN), and sAMAccountName (SAM-Account).
How do I find the sAMAccountNames in my Active Directory?
With Active Directory Users and Computers open:
- Click View > Advanced Features
- Open the properties of an object > Attribute Editor tab > Scroll down to sAMAccountName
(figure 1 – sAMAccountName of computer object)
In cases of computers – these sAMAccountName attributes usually end with “$” in their name. Traditionally, this $ was used to distinguish between user objects and computer objects. It is important to mention there are no restrictions or validations for changing this attribute to include or not include the $ sign.
With default settings, when the relevant patch is not applied, a normal user has permission to modify a machine account (up to 10 machines) and as its owner, they also have the permissions to edit its sAMAccountName attribute.
CVE-2021-42287 – KDC bamboozling
This CVE addresses a vulnerability that allows a potential attacker to impersonate the domain controllers directly.
When performing an authentication using Kerberos, Ticket-Granting-Ticket (TGT) and the following Ticket-Granting-Service (TGS) are being requested from the Key Distribution Center (KDC). In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing $.
For example, if there is a domain controller with a SAM account name of DC1$, an attacker may create a new machine account and rename its SAM account name to DC1, request a TGT, rename it again for a different name, and request a TGS ticket, presenting the TGT he has in hands.
When processing the TGS request, the KDC will fail its lookup for the requestor machine DC1 the attacker had created. Therefore, The KDC will perform another lookup appending a trailing $. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of DC1$.
Combining the two CVEs, an attacker with domain user credentials can leverage them for granting access as a domain admin user in a few simple steps.
Step by Step Guide to Identify Potential Compromised Computers via Advanced Hunting Query
- The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here.
- Open Microsoft 365 Defender and navigate to Advanced Hunting.
- Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
IdentityDirectoryEvents | where Timestamp > ago(1d) | where ActionType == "SAM Account Name changed" | extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name'] | extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name'] | where (FROMSAM has "$" and TOSAM !has "$") or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
- Replace the marked area with the naming convention of your domain controllers
- Run the query and analyze the results which contains the affected devices. You can use Windows Event 4741 to find the creator of these machines, if they were newly created
- We recommend investigating these compromised computers and determine that they haven’t been weaponized.
- Make sure to update the devices with the following KBs:
The Microsoft Defender for Identity security team
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.