Security Advisory Regarding Microsoft Active Directory Vulnerabilities
Summary
On November 9, 2021, Microsoft released two Active Directory vulnerabilities (CVE-2021-42287 and CVE-2021-42278) with patches (KB5008102 and KB5008380). These vulnerabilities continue to fly under the radar due to Log4Shell; however, on December 11, 2021, a proof of concept (PoC) was released on GitHub and Twitter.
Details
All versions of Windows Server 2004 and newer are affected by both vulnerabilities. The exploit takes advantage of “a security bypass vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing”. The only prerequisite for the exploit is the attacker having an unprivileged domain user in the environment.
The sequence of the attack starts with the creation of a new machine account, the name and password do not matter, they are just used by the attacker later. Following the machine account creation is a samaccountname change of the account, which sets it to the name of the domain controller being spoofed without a trailing “$”.
The next step is requesting a Ticket Granting Ticket (TGT) with the spoofed domain controller name. The attacker then changes the name of the machine account to anything other than the spoofed domain controller’s name. The last step is using the TGT previously acquired to request a S4U2self service ticket to impersonate any user the attacker wants to.
Mitigations
The patches KB5008102, KB5008380, and KB5008602 were released in November 2021–these are the best mitigations for the vulnerability and exploit. Other workarounds have been seen around the internet, but come with other potential side effects. The safest thing to do is to apply the patches as soon as possible.
Detection
The exploit leaves a trail of evidence in Windows Event Logs. The sequence of logs is below:
The best detection Hurricane Labs Security Analyst Dusty Miller has determined–with the least amount of noise–is looking for the 4871 events where the “Old Account Name” is a machine account (ending in “$”) and the “New Account Name” is not. This is a very rare change, but triggered each time the exploit was performed during testing.
Additional Details & Resources
Proof of concept exploits for this vulnerability as well as detailed write-ups are currently available below:
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.
