{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-077.pdf"
    },
    "title": "Windows Domain Takeover Vulnerability",
    "serial_number": "2021-077",
    "publish_date": "21-12-2021 09:03:00",
    "description": "During the November Patch Tuesday, Microsoft released a set of fixes for various vulnerabilities affecting several of its products. On December 20th, Microsoft released a Security Advisory about two of these vulnerabilities (CVE-2021-42287, and CVE-2021-42278) which, when combined, could lead to Windows domain takeover. Proofs-of-concept have been released publicly starting from December 11th.",
    "url_title": "2021-077",
    "content_markdown": "---\ntitle: 'Windows Domain Takeover Vulnerability'\nversion: '1.0'\nnumber: '2021-077'\ndate: 'December 21, 2021'\n---\n\n_History:_\n\n* _21/12/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nDuring the November Patch Tuesday, Microsoft released a set of fixes for various vulnerabilities affecting several of its products [1]. On December 20th, Microsoft released a Security Advisory about two of these vulnerabilities (**CVE-2021-42287**, and **CVE-2021-42278**) which, when combined, could lead to Windows domain takeover [2]. Proofs-of-concept have been released publicly starting from December 11th.\n\n# Technical Details\n\n## CVE-2021-42278\n\nActive Directory (AD) uses several naming schemes for a given object. Like `userPrincipalName` (UPN), and `sAMAccountName` (SAM-Account). In cases of computers \u2013 these `sAMAccountName` attributes usually end with `$` in their name. Traditionally, this `$` was used to distinguish between user objects and computer objects. It is important to mention there are no restrictions or validations for changing this attribute to include or not include the `$` character.\n\nWith default settings, when the relevant patch is not applied, a normal user has permissions to modify a machine account (up to 10 machines) and as its owner, he/she also has the permissions to edit its `sAMAccountName` attribute.\n\n## CVE-2021-42287\n\nWhen performing an authentication using Kerberos, `Ticket-Granting-Ticket` (TGT) and the following `Ticket-Granting-Service` (TGS) are being requested from the Key Distribution Center (KDC). In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing `$`.\n\nOne could create a machine account, rename its SAM account name with the name of a Domain Controller without the trailing `$` and request a TGT. Then, the attacker could rename the SAM account name with a different name, and request a TGS ticket presenting the valid TGT.\n\nWhen processing the TGS request, the KDC will fail its lookup for the requestor machine the attacker had created. Therefore, The KDC will perform another lookup appending a trailing `$`. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of the impersonated Domain Controller.\n\n## Attack Scenario\n\nThe combination of these two vulnerabilities could allow attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.\n\n# Affected products\n\n- Windows Server 2012 R2 (Server Core Installation)\n- Windows Server 2012 R2\n- Windows Server 2012 (Server Core Installation)\n- Windows Server 2012\n- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n- Windows Server 2008 R2 for x64-based Systems Service Pack 1\n- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n- Windows Server 2008 for x64-based Systems Service Pack 2\n- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n- Windows Server 2008 for 32-bit Systems Service Pack 2\n- Windows Server 2016 (Server Core installation)\n- Windows Server 2016\n- Windows Server, version 20H2 (Server Core Installation)\n- Windows Server, version 2004 (Server Core installation)\n- Windows Server 2022 (Server Core installation)\n- Windows Server 2022\n- Windows Server 2019 (Server Core installation)\n- Windows Server 2019\n\n# Recommendations\n\nMicrosoft and CERT-EU recommend patching the affected servers to prevent any compromise. Moreover, Security Analyst could look for possible past compromises [2].\n\n## Exploitation detection\n\nMicrosoft provides guidance to look for potential compromise by running Threat Hunting queries in Microsoft 365 Defender:\n\n1. The sAMAccountName change is based on event 4662. Make sure to enable it on the domain controller to catch such activities [3].\n2. Open Microsoft 365 Defender and navigate to Advanced Hunting.\n3. Copy the following query (also available in the Microsoft 365 Defender GitHub Advanced Hunting query [4]):\n\n```\nIdentityDirectoryEvents\n| where Timestamp > ago(1d)\n| where ActionType == \"SAM Account Name changed\"\n| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']\n| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']\n| where (FROMSAM has \"$\" and TOSAM !has \"$\")\n        or TOSAM in (\"DC1\", \"DC2\", \"DC3\", \"DC4\") // DC Names in the org\n| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields\n```\n\n4. Replace the marked area with the naming convention of your domain controllers.\n5. Run the query and analyse the results which contain the affected devices. You can use Windows Event 4741 to find the creator of these machines if they were newly created.\n6. Investigate the compromised computers and determine that they haven't been weaponised.\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/vulnerability>\n\n[2] <https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699>\n\n[3] <https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-object-auditing>\n\n[4] <https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.md>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>21/12/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>During the November Patch Tuesday, Microsoft released a set of fixes for various vulnerabilities affecting several of its products [1]. On December 20th, Microsoft released a Security Advisory about two of these vulnerabilities (<strong>CVE-2021-42287</strong>, and <strong>CVE-2021-42278</strong>) which, when combined, could lead to Windows domain takeover [2]. Proofs-of-concept have been released publicly starting from December 11th.</p><h2 id=\"technical-details\">Technical Details</h2><h3 id=\"cve-2021-42278\">CVE-2021-42278</h3><p>Active Directory (AD) uses several naming schemes for a given object. Like <code>userPrincipalName</code> (UPN), and <code>sAMAccountName</code> (SAM-Account). In cases of computers \u2013 these <code>sAMAccountName</code> attributes usually end with <code>$</code> in their name. Traditionally, this <code>$</code> was used to distinguish between user objects and computer objects. It is important to mention there are no restrictions or validations for changing this attribute to include or not include the <code>$</code> character.</p><p>With default settings, when the relevant patch is not applied, a normal user has permissions to modify a machine account (up to 10 machines) and as its owner, he/she also has the permissions to edit its <code>sAMAccountName</code> attribute.</p><h3 id=\"cve-2021-42287\">CVE-2021-42287</h3><p>When performing an authentication using Kerberos, <code>Ticket-Granting-Ticket</code> (TGT) and the following <code>Ticket-Granting-Service</code> (TGS) are being requested from the Key Distribution Center (KDC). In case a TGS was requested for an account that could not be found, the KDC will attempt to search it again with a trailing <code>$</code>.</p><p>One could create a machine account, rename its SAM account name with the name of a Domain Controller without the trailing <code>$</code> and request a TGT. Then, the attacker could rename the SAM account name with a different name, and request a TGS ticket presenting the valid TGT.</p><p>When processing the TGS request, the KDC will fail its lookup for the requestor machine the attacker had created. Therefore, The KDC will perform another lookup appending a trailing <code>$</code>. The lookup will succeed. As a result, the KDC will issue the ticket using the privileges of the impersonated Domain Controller.</p><h3 id=\"attack-scenario\">Attack Scenario</h3><p>The combination of these two vulnerabilities could allow attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.</p><h2 id=\"affected-products\">Affected products</h2><ul><li>Windows Server 2012 R2 (Server Core Installation)</li><li>Windows Server 2012 R2</li><li>Windows Server 2012 (Server Core Installation)</li><li>Windows Server 2012</li><li>Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li><li>Windows Server 2008 R2 for x64-based Systems Service Pack 1</li><li>Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)</li><li>Windows Server 2008 for x64-based Systems Service Pack 2</li><li>Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)</li><li>Windows Server 2008 for 32-bit Systems Service Pack 2</li><li>Windows Server 2016 (Server Core installation)</li><li>Windows Server 2016</li><li>Windows Server, version 20H2 (Server Core Installation)</li><li>Windows Server, version 2004 (Server Core installation)</li><li>Windows Server 2022 (Server Core installation)</li><li>Windows Server 2022</li><li>Windows Server 2019 (Server Core installation)</li><li>Windows Server 2019</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Microsoft and CERT-EU recommend patching the affected servers to prevent any compromise. Moreover, Security Analyst could look for possible past compromises [2].</p><h3 id=\"exploitation-detection\">Exploitation detection</h3><p>Microsoft provides guidance to look for potential compromise by running Threat Hunting queries in Microsoft 365 Defender:</p><ol><li>The sAMAccountName change is based on event 4662. Make sure to enable it on the domain controller to catch such activities [3].</li><li>Open Microsoft 365 Defender and navigate to Advanced Hunting.</li><li>Copy the following query (also available in the Microsoft 365 Defender GitHub Advanced Hunting query [4]):</li></ol><pre><code>IdentityDirectoryEvents\n| where Timestamp &gt; ago(1d)\n| where ActionType == \"SAM Account Name changed\"\n| extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']\n| extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']\n| where (FROMSAM has \"$\" and TOSAM !has \"$\")\n        or TOSAM in (\"DC1\", \"DC2\", \"DC3\", \"DC4\") // DC Names in the org\n| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields\n</code></pre><ol start=\"4\"><li>Replace the marked area with the naming convention of your domain controllers.</li><li>Run the query and analyse the results which contain the affected devices. You can use Windows Event 4741 to find the creator of these machines if they were newly created.</li><li>Investigate the compromised computers and determine that they haven't been weaponised.</li></ol><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability\">https://msrc.microsoft.com/update-guide/vulnerability</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699\">https://techcommunity.microsoft.com/t5/security-compliance-and-identity/sam-name-impersonation/ba-p/3042699</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-object-auditing\">https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection#configure-object-auditing</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.md\">https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Privilege%20escalation/SAM-Name-Changes-CVE-2021-42278.md</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}