Detect CVE-2021-42287, CVE-2021-42278 Exploitation Сhain

Adversaries have found a way to obtain full admin rights to the Active Directory (AD) domains by weaponizing CVE-2021-42287 and CVE-2021-42278 vulnerabilities. The nefarious exploitation chain enables Active Directory domain impersonation in just a couple of clicks.

A batch of vulnerabilities tied to this exploitation chain drove the attention of security professionals in November 2021. In view of the flaws’ notoriety and increasing hype around them, Microsoft has promptly issued a patch with its November 2021 Patch Tuesday fixes. Yet, the mitigation and patching procedures take time, especially for big corporate networks, leaving lots of AD domains exposed to the attacks.

CVE-2021-42278: sAMAccountName Spoofing

Advisory by Microsoft details that CVE-2021-42278 is a security bypass issue enabling adversaries to own a domain controller by leveraging sAMAccountName spoofing. Particularly, AD validation mechanisms do not check for the $ character at the end of the computer account name, although all machine names should end with it.

CVE-2021-42287: Active Directory Domain Controllers Elevation of Privileges

Microsoft describes CVE-2021-42287 as a security bypass vulnerability affecting the Kerberos Privilege Attribute Certificate (PAC). The flaw stems from the KDC misconfiguration allowing any computer account to impersonate AD domains. 

If chained, the security glitches above allow hackers to reach the Domain Admin rights in any Active Directory environment. The exploitation chain is extremely easy to leverage, enabling adversaries to elevate their privileges even without access to the underlying standard user account.

CVE-2021-42287, CVE-2021-42278 Detection and Mitigation

Microsoft has issued recommendations on how to help organizations protect their infrastructure against possible security bypass attacks. First of all, all devices that host the AD domain controller role need installing the November 9, 2021 update. Once installed for no less than a 7-day period, the Enforcement mode should be enabled on all related domain controllers. With the July 12, 2022 release, the Enforcement mode will be enabled as a required mitigation step.

To help organizations timely detect the high severity exploitation chain, the SOC Prime Team has recently released the dedicated Sigma behavior-based rule. Security performers can download the rule right from SOC Prime’s  Detection as Code platform:

Possible Part of Exploitation Chain of CVE-2021-42287/CVE-2021-42278 [AD Privilege Escalation/sAMAccountName Spoofing] (via audit)

The detection has translations for the following SIEM, EDR & XDR platforms: Azure Sentinel, Elastic Stack, LimaCharlie, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Privilege Escalation tactic with Exploitation for Privilege Escalation as the main technique (T1068).

Join SOC Prime’s Detection as Code platform for free to identify the critical threats in your infrastructure and improve the organization’s cybersecurity posture. Security professionals striving to share their own detection content with the world’s largest cybersecurity community are welcome to join the SOC Prime Threat Bounty Program to stay connected for a safer digital future.

Go to Platform Join Threat Bounty