Exploit to impersonate from regular domain user released!
Microsoft released patches to address two (2) vulnerabilities that affect Windows Active Directory domain controllers: samAccountName Spoofing and Domain Controller Impersonation in November 2021.
Both vulnerabilities, samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287), allow an adversary with access to low-privileged domain user credentials, to obtain a Kerberos Service Ticket for Domain Controller computer account. This will effectively allows a regular domain user to take control of a domain controller.
Mitigation / Detection
It is recommended to install the Microsoft patch (KB5008602) to mitigate against this attack. This patch fixes the issue with PAC confusion and S4U2self created earlier.
Another way is, setting the Machine Account Quota to 0 is also a quick fix for stopping low privileged user from being able to create machine accounts. Other than that, removing Authenticated Users from SeMachineAccountPrivilege and adding Domain Admins or another group of allowed accounts.
Links:
- Hunting for samAccountName Spoofing (CVE-2021–42278) & Domain Controller Impersonation (CVE-2021–42287)
- CVE-2021-42287/CVE-2021-42278 Weaponisation
- https://github.com/WazeHell/sam-the-admin