Topic: Microsoft Active

Directory attacks

Clement Olaosebikan
Initial Findings

Microsoft has urged organizations and users to immediately patch two

Active Directory domain service privilege escalation security
vulnerabilities. Tracked as CVE-2021-42287 and CVE-2021-42278,
these vulnerabilities allow threat actors to takeover Windows domains.
While the technology giant fixed these flaws during the
November 2021 Patch Tuesday, a proof-of-concept tool exploiting the
vulnerabilities was publicly disclosed.
 Microsoft AD attacks: Understanding the intent

The objective of AD attacks, or attacks on

any identity administration infrastructure,
is pretty simple: to gain the highest
access in the shortest time possible.
Regardless of the source of the attack or
the point of intrusion, attackers are
always looking to escalate privileges. And
the highest level of access in AD is
access to a domain controller (DC),
because then attackers gain instant
administrative access to every critical
resource in the network.
Understanding AD attack kill chain

AD attacks are performed in

multiple phases; attackers typically
infect an end-user workstation
(since they have less stringent
security controls), scan the domain
for vulnerabilities or misconfigured
permissions, and exploit them to
move laterally and gain access to a
server higher up in the network
hierarchy, like a business-critical
Microsoft AD: Attackers Advantage Discovery

Microsoft stated that attackers could penetrate a Domain Admin user in an Active

Directory environment by combining these two vulnerabilities. The flaws reportedly

enable remote hackers to elevate their privilege to that of a Domain Admin once they

compromise a regular user in the domain.

“As Defender for Identity’s mission is to secure Active Directory and your environment

against advanced and sophisticated identity threat attacks, our research team reacted

fast and published a query that can be used to identify suspicious behavior leveraging

these vulnerabilities.
 Attackers Exploiting replication privileges to access
sensitive domain data

Offensive open-source tools can utilize specific

commands within MS-DRSR to simulate the

behavior of a DC and fetch domain user password

hashes.

Such attacks are known as post-exploitation

attacks, because attackers need access to a user

account that has replication privileges in AD.

Administrators, Domain Admins, and Enterprise

Admins generally have the rights required.

 Further Operations of an Attacker after
gaining access

● The attacker discovers a DC to request replication.

○ A simple one-line command, such as NLTEST /dclist:
[ Domainname], can help determine DC names,
including details such as the Primary DC and the DCs’
site names.
● Replication changes are requested using the
GetNCChanges function.
● The DC returns the replication data, including password
hashes, to the requester.
Some Common Attacks on Microsoft AD

1. BloodHound attacks: BloodHound is a popular open-source tool

for enumerating and visualizing the domain Active Directory and is used
by red teams and attackers as a post-exploitation too.

2. Kerberoasting: Kerberoasting, like BloodHound attacks, is a technique

for stealing credentials used by both red teams and attackers.Kerberoasting
attacks abuse the Kerberos Ticket Granting Service (TGS) to gain access to
accounts, typically targeting domain accounts for lateral movement.
How to Recognize a Compromized Device

To identify whether your systems are affected due to these vulnerabilities, Microsoft recommended the following:

● The sAMAccountName change is based on event 4662. Make sure to enable it on the domain controller to

catch such activities.

● Open Microsoft 365 Defender and navigate to Advanced Hunting.

● Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting

query).
● Replace the marked area with the naming convention of your domain controllers.
● Run the query and analyze the results which contain the affected devices. You could use

Windows Event 4741 to find the creator of these machines if they were newly created.
● We recommend investigating these compromised computers and determining that they haven’t been

weaponized.
THANK YOU

Clement Olaosebikan