Monitor for activities and techniques associated with the exploitation of the sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287) vulnerabilities.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-12-20
- Author: Mauricio Velazco, Splunk
- ID: 0244fdee-61be-11ec-900e-acde48001122
On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory networks, sAMAccountName Spoofing (CVE-2021-42278) and Domain Controller Impersonation (CVE-2021-42287). On December 10, 2021, security researchers Charlie Clark and Andrew Schwartz released a blog post where they shared how to weaponise these vulnerabilities in a target network an the initial detection opportunities. When successfully exploited, CVE-2021-42278 and CVE-2021-42287 allow an adversary, who has stolen the credentials of a low priviled domain user, to obtain a Kerberos Service ticket for a Domain Controller computer account. The only requirement is to have network connectivity to a domain controller. This attack vector effectivelly allows attackers to escalate their privileges in an Active Directory from a regular domain user account and take control of a domain controller. While patches have been released to address these vulnerabilities, deploying detection controls for this attack may help help defenders identify attackers attempting exploitation.
source | version: 1