Microsoft Defender For Identity To Detect Windows Bronze Bit Attacks

Microsoft is working on adding support for Bronze Bit attacks detection to Microsoft Defender for Identity to make it easier for Security Operations teams to detect attempts to abuse a Windows Kerberos security bypass bug tracked as CVE-2020-17049.

Microsoft Defender for Identity (previously Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals.

It enables SecOps teams to detect and investigate compromised advanced threats, identities, and malicious insider activity targeting enrolled organizations.

Also Read: National Cybersecurity Awareness Campaign of Singapore: Better Cyber Safe than Sorry

Landing in two months

“An alert will be triggered when there is evidence of suspicious Kerberos delegation attempts using the BronzeBit method, where a user has attempted to use a ticket to delegate access to a particular resource,” Microsoft explains on the Microsoft 365 roadmap.

The flaw (patched by Microsoft during November 2020’s Patch Tuesday) can be exploited in what Jake Karnes, the security consultant who discovered, has named Kerberos Bronze Bit attacks.

Microsoft addressed the Bronze Bit vulnerability in a two-phase staged rollout, with the initial deployment phase on December 8 and an automatic enforcement phase on February 9.

One month after Microsoft issued the CVE-2020-17049 patches, Karnes published a proof-of-concept (PoC) exploit code and full details on how it could be used.

The exploit can bypass Kerberos delegation protection, allowing attackers to escalate privileges, impersonate targeted users, and move laterally within compromised environments.

He has shared a low-level overview with additional info on the Kerberos protocol, including practical exploit scenarios and details on implementing and using Kerberos Bronze Bit attacks against vulnerable servers.

The release of all these additional details and the PoC exploit would probably make it a lot easier to breach Windows servers unpatched against CVE-2020-17049 and was what likely prompted Redmond to add Bronze Bit detection support to Microsoft Defender for Identity.

PrintNightmare and Zerologon attack detection also available

In July, Microsoft also added support for PrintNightmare exploitation detection to Microsoft Defender for Identity after including Zerologon exploitation detection in November 2020.

Both are critical security vulnerabilities, with PrintNightmare (CVE-2021-34527) allowing attackers to take over affected servers by elevating privileges to Domain Administrator while Zerologon (CVE-2020-1472) can be exploited to elevate privileges to spoof a domain controller account that leads to complete control of the entire domain.

Also Read: Revised Technology Risk Management Guidelines of Singapore

Multiple threat actors, including ransomware gangs like Vice Society, Conti, and Magniber, already use PrintNightmare exploits to compromise unpatched Windows servers.

Both state-backed and financially motivated threat actors are also exploiting systems unpatched against the ZeroLogon vulnerability since the end of October and in September, with more having joined since then, including:

• Iranian-backed MuddyWater hacking group (aka SeedWorm and MERCURY),
• TA505 (aka Chimborazo) known for providing delivery channel for Clop ransomware,
• Chinese APT10 hackers.

Also in July, Microsoft rolled out another Defender for Identity update that enables security operations (SecOps) teams to block attack attempts by locking compromised users’ Active Directory accounts.

Defender for Identity is bundled with Microsoft 365 E5 but, if you don’t have a subscription already, you can also get a Security E5 trial to give these features a spin.