Microsoft has urged organizations and users to immediately patch two Active Directory domain service privilege escalation security vulnerabilities. Tracked as CVE-2021-42287 and CVE-2021-42278, these vulnerabilities allow threat actors to takeover Windows domains. While the technology giant fixed these flaws during the November 2021 Patch Tuesday, a proof-of-concept tool exploiting the vulnerabilities was publicly disclosed.
Microsoft stated that attackers could penetrate a Domain Admin user in an Active Directory environment by combining these two vulnerabilities. The flaws reportedly enable remote hackers to elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.
“As Defender for Identity’s mission is to secure Active Directory and your environment against advanced and sophisticated identity threat attacks, our research team reacted fast and published a query that can be used to identify suspicious behavior leveraging these vulnerabilities. This query can help detect abnormal device name changes (which should rarely happen to begin with) and compare them to a list of domain controllers in your environment,” Microsoft said in an advisory.
However, Microsoft recommended organizations and users fix the vulnerabilities by applying the updates as soon as possible to avoid any security risks.
Finding Compromised Devices
To identify whether your systems are affected due to these vulnerabilities, Microsoft recommended the following:
- The sAMAccountName change is based on event 4662. Make sure to enable it on the domain controller to catch such activities.
- Open Microsoft 365 Defender and navigate to Advanced Hunting.
- Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query).
- Replace the marked area with the naming convention of your domain controllers.
- Run the query and analyze the results which contain the affected devices. You could use Windows Event 4741to find the creator of these machines if they were newly created.
- We recommend investigating these compromised computers and determining that they haven’t been weaponized.
Microsoft Release December 2021 Patch
Microsoft recently issued security patches for 67 CVEs in its December 2021 Patch Tuesday update. Of 67 vulnerabilities, 60 were deemed important, and seven were critical. Six zero-day vulnerabilities have also been fixed, being exploited in the wild. The December 2021 Patch Tuesday update resolved vulnerabilities affecting Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.