Connect with us

Hi, what are you looking for?

Technology

Microsoft warns of easy Windows domain takeover via Active Directory bugs


Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains.

The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond’s warning to immediately patch the two bugs — both allowing attackers to impersonate domain controllers — comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.

“When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates,” Microsoft explains in an advisory published today.

“This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.

“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible.”

Windows admins are urged to update devices exposed to attacks using the steps and information detailed in the following knowledgebase articles: KB5008102, KB5008380, KB5008602.

Advertisement. Scroll to continue reading.

Researchers who tested the PoC stated that they were able to easily use the tool to escalate privileges from standard Active Directory user to a Domain Admin in default configurations.

CVE-2021-42278 exploit tool in action
CVE-2021-42278 and CVE-2021-42287 exploit tool in action (H*s*m)

How to detect exploitation, signs of compromise

Microsoft has also shared detailed guidance on detecting signs of exploitation in your environment and identifying potentially compromised servers using Defender for Identity advanced hunting query that looks for abnormal device name changes.

The step-by-step guide requires defenders to:

  1. The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here
  2. Open Microsoft 365 Defender and navigate to Advanced Hunting.
  3. Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
    IdentityDirectoryEvents
    | where Timestamp > ago(1d)
    | where ActionType == "SAM Account Name changed"
    | extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
    | extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
    | where (FROMSAM has "$" and TOSAM !has "$")
            or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
    | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
  4. Replace the marked area with the naming convention of your domain controllers
  5. Run the query and analyze the results which contain the affected devices. You can use Windows Event 4741 to find the creator of these machines if they were newly created
  6. We recommend investigating these compromised computers and determining that they haven’t been weaponized.

“Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections,” Microsoft added.





Source link

Click to comment

Leave a Reply

Advertisement

Latest

Technology

Did you miss a session from the Future of Work Summit? Head over to our Future of Work Summit on-demand library to stream. Stonly,...

Loan And Finance

Allianz Global Investors (AllianzGI) has set up a new unit focused on impact investing in private markets in an effort to create...

Technology

Apple TV+ has reportedly picked up Cooper Raiff’s Cha Cha Real Smooth after winning a “competitive bidding situation” that involved some of Hollywood’s biggest...

Technology

When CEO Mark Zuckerberg changed Facebook’s name to Meta and committed to the metaverse, he said that gaming would lead the way. That’s an...

Top Stories

Virtual world project The Sandbox announced its metaverse accelerator program that will push the development of the open metaverse by investing $50 million in...

Online Business Success

In a global economy where data is now widely regarded as having replaced oil as the material that powers growth, the ability to analyse...

Technology

Source: Rebecca Spear / iMore Best answer: Yep. If you own the physical or digital copy of a Nintendo Switch game, the game save...

Loan And Finance

Allianz Global Investors (AllianzGI) has set up a new unit focused on impact investing in private markets in an effort to create...

Advertisement

You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement