New exploit for critical vulnerabilities in Active Directory; Microsoft recommends that you patching ASAP

In its latest security alert, Microsoft asked its customers to apply available updates to fix two privilege escalation vulnerabilities in Active Directory whose exploitation would allow threat actors to easily take control of Windows domains. The flaws were tracked as CVE-2021-42287 and CVE-2021-42278 and were corrected during November Patch Tuesday.

Although the required patches had already been released, Microsoft decided to republish a security alert after a proof of concept (PoC) capable of exploiting these flaws appeared through Twitter and GitHub.

The company specifies that the combined exploitation of these flaws would allow threat actors to create a direct path to a domain administrator in Active Directory: “This attack would allow cybercriminals to easily elevate their privileges after compromising a regular user in the domain.”

The published exploit is highly functional for the abuse of vulnerable Windows implementations, so the company strongly recommends that exposed system administrators apply the updates as soon as possible.

Detecting malicious activity

In addition to the security alert, Microsoft shared detailed guidance for detecting signs of exploitation in potentially vulnerable environments and identifying compromised servers using Defender for Identity’s advanced search query, capable of identifying abnormal changes to the device name. To scan their implementations, sysadmins shoud:

  • Make sure that you enable sAMAccountName on the domain controller to detect such activities
  • Open Microsoft 365 Defender and navigate to Advanced Hunting
  • Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Search query):
IdentityDirectoryEvents
| where Timestamp > ago(1d)
| where ActionType == "SAM Account Name changed"
| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
| where (FROMSAM has "$" and TOSAM !has "$")
        or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields

  • Replace the area marked with the naming convention of your domain controllers
  • Run the query and analyze the results contained in the affected devices

In case of detecting a compromise, it is recommended to investigate the affected systems to rule out that they have been exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.