During the November 2021 Patch Tuesday Two Active Directory domain service privilege escalation security flaws have been detected recently by Andrew Bartlett of Catalyst IT, and these two security flaws allow hackers to take over Windows domains easily when they are united.
Microsoft suggested users to immediately patch these two Active Directory domain service privilege escalation security flaws that are tracked as:-
Here’s what Microsoft stated:-
“This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain. As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible.”
In default configurations from standard Active Directory user to a Domain Admin can easily use the tool to escalate these privileges. While apart from this, for a given object several naming schemes are used by AD (Active Directory) and they are like:-
To find the sAMAccountNames you have to follow some simple steps that we have mentioned below:-
To identify potentially compromised systems and servers Microsoft has shared detailed guidance, and here we have mentioned them below:-
IdentityDirectoryEvents
| where Timestamp > ago(1d)
| where ActionType == “SAM Account Name changed”
| extend FROMSAM = parse_json(AdditionalFields)[‘FROM SAM Account Name’]
| extend TOSAM = parse_json(AdditionalFields)[‘TO SAM Account Name’]
| where (FROMSAM has “$” and TOSAM !has “$”)
or TOSAM in (“DC1”, “DC2”, “DC3”, “DC4”) // DC Names in the org
| project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
By following the above steps you can easily identify potentially compromised systems and servers to take proper mitigations to avoid such attacks in the future.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm over a critical vulnerability…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued eight detailed advisories on vulnerabilities affecting…
A new and advanced ransomware family, dubbed NotLockBit, has emerged as a significant threat in…
Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a…
Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability…
TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing…