www.bleepingcomputer.com Open in urlscan Pro
104.20.60.209  Public Scan

Form analysis
0 forms found in the DOM

Text Content

User Consent Prompt
Focus Prompt

☰ ×
 * News ▾ ▸
   * Security
   * Microsoft
   * Software
   * Ransomware
   * Hardware
   * Technology
   * Linux
   * Mobile
   * Google
 * Tutorials
 * Virus Removal
 * Forums
 * Deals
 * Downloads
 * More ▾ ▸
   * Startup Database
   * Uninstall Database
   * File Database
   * Glossary
   * Chat on Discord
   * Send us a Tip!
   * Welcome Guide

Close the sidebar


MICROSOFT WARNS OF EASY WINDOWS DOMAIN TAKEOVER VIA ACTIVE DIRECTORY BUGS


By

SERGIU GATLAN

 * December 20, 2021
 * 02:51 PM

Microsoft warned customers today to patch two Active Directory domain service
privilege escalation security flaws that, when combined, allow attackers to
easily takeover Windows domains.

The company released security updates to address the two security
vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by
Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond's warning to immediately patch the two bugs — both allowing attackers to
impersonate domain controllers — comes after a proof-of-concept (PoC) tool that
can leverage these vulnerabilities was shared on Twitter and GitHub on December
11.

"When combining these two vulnerabilities, an attacker can create a
straightforward path to a Domain Admin user in an Active Directory environment
that hasn’t applied these new updates," Microsoft explains in an advisory
published today.

"This escalation attack allows attackers to easily elevate their privilege to
that of a Domain Admin once they compromise a regular user in the domain.

"As always, we strongly advise deploying the latest patches on the domain
controllers as soon as possible."

Windows admins are urged to update all domain controllers using the steps and
information available in the following knowledgebase articles: KB5008102,
KB5008380, and KB5008602.



Researchers who tested the PoC said they were able to easily use the tool to
escalate privileges from standard Active Directory user to a Domain Admin in
default configurations.

CVE-2021-42278 and CVE-2021-42287 exploit tool in action (H*s*m)


HOW TO DETECT EXPLOITATION, SIGNS OF COMPROMISE

Microsoft has also shared detailed guidance on detecting signs of exploitation
in your environment and identifying potentially compromised servers using
Defender for Identity advanced hunting query that looks for abnormal device name
changes.

The step-by-step guide requires defenders to:

 1. The sAMAccountName change is based on event 4662. Please make sure to enable
    it on the domain controller to catch such activities. Learn more of how to
    do it here
 2. Open Microsoft 365 Defender and navigate to Advanced Hunting.
 3. Copy the following query (which is also available in the Microsoft 365
    Defender GitHub Advanced Hunting query):
    
    IdentityDirectoryEvents
    | where Timestamp > ago(1d)
    | where ActionType == "SAM Account Name changed"
    | extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
    | extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
    | where (FROMSAM has "$" and TOSAM !has "$")
            or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
    | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields

 4. Replace the marked area with the naming convention of your domain
    controllers
 5. Run the query and analyze the results which contain the affected devices.
    You can use Windows Event 4741 to find the creator of these machines if they
    were newly created
 6. We recommend investigating these compromised computers and determining that
    they haven't been weaponized.

"Our research team continues its effort in creating more ways to detect these
vulnerabilities, either with queries or out-of-the-box detections," Microsoft
added.






RELATED ARTICLES:

Attackers can get root by crashing Ubuntu’s AccountsService

New Windows 10 zero-day gives admin rights, gets unofficial patch

Zero-day bug in all Windows versions gets free unofficial patch

800K WordPress sites still impacted by critical SEO plugin flaw

Malware now trying to exploit new Windows Installer zero-day

 
 * Active Directory
 * Elevation of Privileges
 * Local Privilege Escalation
 * Privilege Escalation
 * Windows
 * Windows Domain


View Comments
Popular Stories

 * Log4j vulnerability now used to install Dridex banking malware

 * FBI: State hackers exploiting new Zoho zero-day since October


Ad


About Us - Terms of Use - Privacy Policy - Ethics Statement

Copyright @ 2003 - 2021 Bleeping Computer® LLC - All Rights Reserved