Microsoft AD Privilege Escalation Vulnerability
Two vulnerabilities that can lead to easy Windows Domain takeover
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699
CVEs: CVE-2021-42287CVE-2021-42278
On November 9, Microsoft released a patch for several zero-day vulnerabilities related to Active Directory privilege escalation, 2 of which are of particular interest as they can lead to Windows Domain takeover when chained together.
Background
As reported by Microsoft - during the November security update cycle, a patch was released for vulnerabilities CVE-2021-42287 and CVE-2021-42278. Both vulnerabilities are described as a ‘Windows Active Directory domain service privilege escalation vulnerability’. When combining 42287 and 42278, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates. This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain. On December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.
Announced
The initial patch and vulnerability disclosure was published at: Follow-up guide from Microsoft following the proof-of-concept disclosure is available at:
Latest Developments
Active POC code is circulating in the wild, and Active Directory administrators are strongly encouraged to upgrade immediately. The Fortinet Security Fabric protections below can help detect the vulnerability, prevent exploit, or hunt for indicators related to these vulnerabilities across the attack surface.
arrow_icon
PROTECT

Countermeasures across the security fabric for protecting assets, data and network from cybersecurity events:

Reconnaissance

Decoy VM

Detects activities related to the Active Directory Privilege Escalation attack

FortiDeceptor
v3.3+
Weaponization

Delivery

Vulnerability

Detects the presence of the Active Directory Privilege Escalation vulnerabilities, and applies auto-patching if enabled.

FortiClient
DB 1.276

Exploitation

IPS

Blocks attempts to exploit the Active Director Privilege Escalation.

FortiGate
DB 19.234
FortiSASE
DB 19.234
FortiNDR
DB 19.234
FortiProxy
DB 19.234

Installation

Post-execution

FortiEDR
v5.0+
C2
Action
arrow_icon
DETECT

Find and correlate important information to identify an outbreak, the following updates are available to raise alert and generate reports:

Threat Hunting

FortiEDR
FortiAnalyzer
v6.4+
Outbreak Detection

FortiAnalyzer
DB 1.00045
arrow_icon
RESPOND

Develop containment techniques to mitigate impacts of security events:

Automated Response

Services that can automaticlly respond to this outbreak.

FortiXDR
Assisted Response Services

Experts to assist you with analysis, containment and response activities.

Incident Response
arrow_icon
RECOVER

Improve security posture and processes by implementing security awareness and training, in preparation for (and recovery from) security incidents:

NOC/SOC Training

Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks.

NSE Training
Response Readiness
End-User Training

Raise security awareness to your employees that are continuously being targetted by phishing, drive-by download and other forms of cyberattacks.

Security Awareness & Training
arrow_icon
IDENTIFY

Identify processes and assets that need protection:

Attack Surface Hardening

Check Security Fabric devices to build actionable configuration recommendations and key indicators.

Security Rating
Vulnerability Management

Reduce the attack surface on software vulnerabilities via systematic and automated patching.

FortiEDR
Additional Resources
Microsoft
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699
Threat Post
https://threatpost.com/active-directory-bugs-windows-domain-takeover/177185/

Learn more about FortiGuard Outbreak Alerts