Microsoft released another security advisory today that affects Active Directory security. Similar to the Exchange advisory, this is coming from research done by third-party security researchers. Here is the original post explaining the exploit.
In addition, a more detailed explanation of the conditions and setting necessary for this attack to occur was posted by Roberto Rodriguez, a colleague of harmj0y’s at
Microsoft was first notified of this attack back in October 2018, where the security researchers demonstrated the attack and worked with the Microsoft teams to decide how to respond. Ultimately, Microsoft has decided not to immediately patch this, but yesterday released the following advisory.
And here is a KB article from Microsoft discussing their intended fix.
Explanation of the Attack
If you have a two-way trust in place, an attacker can use the MS-RPRN printer bug in a compromised domain to compromise a machine in another forest that has “unconstrained delegation” enabled, such as a domain controller. The bug causes the domain controller to send authentication information back to the attacker who can extract that authentication from memory and then use DCSync to compromise the trusted domain.
Imagine if you are big company and you acquire a small company and at some point you join their domain to yours. If any system is compromised in the small environment, it could be used take over the big company’s entire forest. Not good.
This is how the default behavior works in AD. In 2012 and up there is a security setting to prevent this, but may not be switched on by default. In 2008 there is nothing and the KB article above mentions a security update sometime in the July timeframe.
How can STEALTHbits help in the mean time?
With our StealthAUDIT for AD product we can assess all forests/domains and identify if the trusts are securely configured. We have built a custom job that can be run to identify users and computers with unconstrained delegation that could be exploited.
To get this custom job: contact Support for the necessary files and installation assistance.
We are also working on a detection rule in StealthDEFEND for Active Directory to detect successful authentication events happening on unconstrained delegation servers coming from Domain Controllers that belong to foreign domains across separate forests, as suggested in the SpecterOps article. We will post more details on that rule when it becomes available.
If you have any questions about this advisory or our free custom job, please reach out to your Account Executive or STEALTHbits support.
Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here:
As the VP of Product Marketing, Darin is responsible for product messaging and positioning as well as generating industry and market awareness for Stealthbits products. He is an experienced leader who has worked in software for over 21 years.
Prior to joining Stealthbits, he was VP of Marketing for Quorum and SecureAuth, and has held positions in product management & product marketing at Oracle, and Quest Software.