Discovered this year allows any domain user to gain domain administrator rights and compromise Active Directory (AD) and other connected hosts. Today we will explain how this attack works and how to detect it.
Here's how this attack works:
- An attacker takes over the account of any domain user with an active mailbox in order to subscribe to the push notification feature from Exchange
- The attacker uses an NTLM relay to spoof the Exchange server: as a result, the Exchange server connects to the compromised user's computer using the NTLM over HTTP method, which the attacker then uses to authenticate to the domain controller using LDAP with the Exchange account information
- The attacker ends up using these Exchange account credentials to elevate their privileges. This last step can also be performed by a hostile administrator who already has legitimate access to make the necessary change of permissions. By creating a rule to detect this activity, you will be protected from this and similar attacks.
Subsequently, an attacker could, for example, run DCSync to get the hashed passwords of all domain users. This will allow him to implement various types of attacks - from attacks on the golden ticket to the transfer of the hash.
The Varonis research team has studied this attack vector in detail and prepared a guide for our customers to discover it and check if they have already been compromised.
Domain Privilege Elevation Detection
Π create a custom rule to track changes to certain object permissions. It will work when adding rights and permissions to the object of interest in the domain:
- Specify a name for the rule
- Set category as "Privilege Elevation"
- Set the value for the resource type to "All Resource Types"
- File Server = DirectoryServices
- Specify the domain you are interested in, for example, by name
- Add a filter to add permissions on the AD object
- And don't forget to leave the option "Search in child objects" unselected
And now the report: detecting a change in rights on a domain object
Permission changes on an AD object are fairly rare, so anything that caused this warning should and should be investigated. It would also be a good idea to test the appearance and content of the report before launching the rule itself.
This report will also show if you have already been compromised by this attack:
Once the rule is activated, you can investigate all other privilege escalation events using the DataAlert web interface:
By configuring this rule, you can monitor and protect against these and similar types of security vulnerabilities, investigate events with AD directory services objects, and check if you are affected by this critical vulnerability.
Source: habr.com