Beware of the Windows Active Directory privilege escalation vulnerability

April 2023 ยท 2 minute read
domain admin exploit

You might want to know that the Redmond-based tech company has issued an advisory about some vulnerabilities that it has already patched but are now being exploited on configurations that have not been updated yet.

A little over a week ago, on December 12, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.

Microsoft is urging users to patch these vulnerabilities

As you all remember, during the November security update cycle, Microsoft released a patch for two new vulnerabilities, CVE-2021-42287 and CVE-2021-42278.

Both of these vulnerabilities are described as a Windows Active Directory domain service privilege escalation vulnerability.

These exploits actually allow malicious third parties to easily gain Domain Admin privileges in Active Directory after they compromise a regular user account.

Redmond officials released three patches for immediate deployment on domain controllers, as follows:

But even though the above-mentioned patches have actually been available for some time now, the problem is that a proof-of-concept tool that exploits these vulnerabilities was only publicly disclosed on December 12.

The Microsoft research team reacted fast and published a query that can be used to identify suspicious behavior leveraging these vulnerabilities.

This query can help detect abnormal device name changes (which should happen rarely to begin with) and compare them to a list of domain controllers in your environment.

Make sure you carefully check out all the details if you suspect that you too are being a victim of the aforementioned situations.

And, most importantly, update to the secure versions that Microsoft provided, in order to make sure you stay one step ahead of any potential threats.

Do you suspect that threat actors have been exploiting your system? Share your opinion with us in the comments section below.

ncG1vNJzZmivmaOxsMPSq5ypp6Kpe6S7zGikopuipMCwstNmmJysmauybrDIq5ycrJ%2Bnxm680aKtoqSVnLJusdKcmKWZpJ68r3nArauam5tk